@dofe/sso-browser 0.1.42

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export * from './sso-session';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../packages/sso-browser/src/index.ts"],"names":[],"mappings":"AAAA,cAAc,eAAe,CAAC"}

package/dist/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./sso-session"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../packages/sso-browser/src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,gDAA8B"}

package/dist/sso-session.d.ts

@@ -0,0 +1,64 @@
+/**
+ * SSO cross-subdomain session detection utilities.
+ *
+ * On page load, subdomain apps can check if the user
+ * already has a session at the central SSO via:
+ *   Layer 1: fetch API to /auth/session (same-site, cookie sent automatically)
+ *   Layer 2: hidden iframe + postMessage (fallback for strict browser policies)
+ *   Layer 3: full OIDC redirect (existing flow, always works)
+ */
+/**
+ * User information from SSO session.
+ * Projects should extend this interface or provide their own.
+ */
+export interface SsoUserInfo {
+    id: string;
+    email?: string;
+    nickname?: string;
+    avatar?: string;
+    tenantId?: string;
+}
+/**
+ * Session data returned from SSO.
+ */
+export interface SsoSessionData {
+    user: SsoUserInfo;
+    access: string;
+    refresh: string;
+    accessExpire: number;
+    expire: number;
+}
+/**
+ * Configuration for SSO session detection.
+ */
+export interface SsoSessionConfig {
+    /** SSO base URL (e.g., 'https://sso.dofe.ai') */
+    ssoBaseUrl: string;
+    /** Timeout in milliseconds for silent check (default: 5000) */
+    timeoutMs?: number;
+}
+/**
+ * Layer 1: Check SSO session via direct fetch API call.
+ * Since all subdomains share the same domain, the access_token cookie
+ * is sent automatically with SameSite=Lax + credentials:'include'.
+ *
+ * @param config - SSO configuration with base URL
+ * @returns Session data if authenticated, null otherwise
+ */
+export declare function checkSsoSession(config: SsoSessionConfig): Promise<SsoSessionData | null>;
+/**
+ * Layer 2: Check SSO session via hidden iframe + postMessage.
+ * Fallback for browsers that block third-party cookies or CORS requests.
+ *
+ * @param config - SSO configuration with base URL
+ * @returns Session data if authenticated, null otherwise
+ */
+export declare function checkSsoSessionViaIframe(config: SsoSessionConfig): Promise<SsoSessionData | null>;
+/**
+ * Combined session check - tries Layer 1 first, then Layer 2 if needed.
+ *
+ * @param config - SSO configuration with base URL
+ * @returns Session data if authenticated, null otherwise
+ */
+export declare function checkSsoSessionCombined(config: SsoSessionConfig): Promise<SsoSessionData | null>;
+//# sourceMappingURL=sso-session.d.ts.map

package/dist/sso-session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sso-session.d.ts","sourceRoot":"","sources":["../../../packages/sso-browser/src/sso-session.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,WAAW,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,iDAAiD;IACjD,UAAU,EAAE,MAAM,CAAC;IACnB,+DAA+D;IAC/D,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAID;;;;;;;GAOG;AACH,wBAAsB,eAAe,CACnC,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAqBhC;AAED;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAkDhC;AAED;;;;;GAKG;AACH,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAShC"}

package/dist/sso-session.js

@@ -0,0 +1,115 @@
+"use strict";
+/**
+ * SSO cross-subdomain session detection utilities.
+ *
+ * On page load, subdomain apps can check if the user
+ * already has a session at the central SSO via:
+ *   Layer 1: fetch API to /auth/session (same-site, cookie sent automatically)
+ *   Layer 2: hidden iframe + postMessage (fallback for strict browser policies)
+ *   Layer 3: full OIDC redirect (existing flow, always works)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkSsoSession = checkSsoSession;
+exports.checkSsoSessionViaIframe = checkSsoSessionViaIframe;
+exports.checkSsoSessionCombined = checkSsoSessionCombined;
+const DEFAULT_TIMEOUT_MS = 5000;
+/**
+ * Layer 1: Check SSO session via direct fetch API call.
+ * Since all subdomains share the same domain, the access_token cookie
+ * is sent automatically with SameSite=Lax + credentials:'include'.
+ *
+ * @param config - SSO configuration with base URL
+ * @returns Session data if authenticated, null otherwise
+ */
+async function checkSsoSession(config) {
+    const { ssoBaseUrl } = config;
+    try {
+        const res = await fetch(`${ssoBaseUrl}/auth/session`, {
+            method: 'GET',
+            credentials: 'include',
+            cache: 'no-store',
+            mode: 'cors',
+        });
+        if (!res.ok)
+            return null;
+        const body = await res.json();
+        if (body.code !== 0 || !body.data?.access)
+            return null;
+        return body.data;
+    }
+    catch {
+        // Network error or CORS blocked — fall through to next layer
+        return null;
+    }
+}
+/**
+ * Layer 2: Check SSO session via hidden iframe + postMessage.
+ * Fallback for browsers that block third-party cookies or CORS requests.
+ *
+ * @param config - SSO configuration with base URL
+ * @returns Session data if authenticated, null otherwise
+ */
+function checkSsoSessionViaIframe(config) {
+    const { ssoBaseUrl, timeoutMs = DEFAULT_TIMEOUT_MS } = config;
+    return new Promise((resolve) => {
+        let settled = false;
+        let iframe = null;
+        const finish = (result) => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timeout);
+            window.removeEventListener('message', handler);
+            if (iframe) {
+                iframe.onerror = null;
+                iframe.onload = null;
+            }
+            try {
+                if (iframe) {
+                    document.body.removeChild(iframe);
+                }
+            }
+            catch {
+                /* already removed */
+            }
+            resolve(result);
+        };
+        const timeout = setTimeout(() => finish(null), timeoutMs);
+        const handler = (event) => {
+            // Exact origin match to prevent spoofing via sibling subdomains
+            if (event.origin !== ssoBaseUrl)
+                return;
+            if (event.data?.type === 'SSO_SILENT_CHECK_RESULT') {
+                if (event.data.authenticated && event.data.data) {
+                    finish(event.data.data);
+                }
+                else {
+                    finish(null);
+                }
+            }
+        };
+        window.addEventListener('message', handler);
+        iframe = document.createElement('iframe');
+        iframe.src = `${ssoBaseUrl}/auth/silent-check?parent=${encodeURIComponent(window.location.origin)}`;
+        iframe.style.display = 'none';
+        iframe.setAttribute('aria-hidden', 'true');
+        iframe.onerror = () => finish(null);
+        document.body.appendChild(iframe);
+    });
+}
+/**
+ * Combined session check - tries Layer 1 first, then Layer 2 if needed.
+ *
+ * @param config - SSO configuration with base URL
+ * @returns Session data if authenticated, null otherwise
+ */
+async function checkSsoSessionCombined(config) {
+    // Try Layer 1 first (direct fetch)
+    const sessionData = await checkSsoSession(config);
+    if (sessionData) {
+        return sessionData;
+    }
+    // Fall back to Layer 2 (iframe + postMessage)
+    return checkSsoSessionViaIframe(config);
+}
+//# sourceMappingURL=sso-session.js.map

package/dist/sso-session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sso-session.js","sourceRoot":"","sources":["../../../packages/sso-browser/src/sso-session.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;AA6CH,0CAuBC;AASD,4DAoDC;AAQD,0DAWC;AAjHD,MAAM,kBAAkB,GAAG,IAAI,CAAC;AAEhC;;;;;;;GAOG;AACI,KAAK,UAAU,eAAe,CACnC,MAAwB;IAExB,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,CAAC;IAE9B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,UAAU,eAAe,EAAE;YACpD,MAAM,EAAE,KAAK;YACb,WAAW,EAAE,SAAS;YACtB,KAAK,EAAE,UAAU;YACjB,IAAI,EAAE,MAAM;SACb,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QAEzB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,IAAI,IAAI,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM;YAAE,OAAO,IAAI,CAAC;QAEvD,OAAO,IAAI,CAAC,IAAsB,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,6DAA6D;QAC7D,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,wBAAwB,CACtC,MAAwB;IAExB,MAAM,EAAE,UAAU,EAAE,SAAS,GAAG,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAE9D,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,IAAI,MAAM,GAA6B,IAAI,CAAC;QAE5C,MAAM,MAAM,GAAG,CAAC,MAA6B,EAAE,EAAE;YAC/C,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,YAAY,CAAC,OAAO,CAAC,CAAC;YACtB,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YAC/C,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC;gBACtB,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC;YACvB,CAAC;YACD,IAAI,CAAC;gBACH,IAAI,MAAM,EAAE,CAAC;oBACX,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;gBACpC,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,qBAAqB;YACvB,CAAC;YACD,OAAO,CAAC,MAAM,CAAC,CAAC;QAClB,CAAC,CAAC;QAEF,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,SAAS,CAAC,CAAC;QAE1D,MAAM,OAAO,GAAG,CAAC,KAAmB,EAAE,EAAE;YACtC,gEAAgE;YAChE,IAAI,KAAK,CAAC,MAAM,KAAK,UAAU;gBAAE,OAAO;YAExC,IAAI,KAAK,CAAC,IAAI,EAAE,IAAI,KAAK,yBAAyB,EAAE,CAAC;gBACnD,IAAI,KAAK,CAAC,IAAI,CAAC,aAAa,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;oBAChD,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAsB,CAAC,CAAC;gBAC5C,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,CAAC,CAAC;gBACf,CAAC;YACH,CAAC;QACH,CAAC,CAAC;QAEF,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAE5C,MAAM,GAAG,QAAQ,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,CAAC,GAAG,GAAG,GAAG,UAAU,6BAA6B,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACpG,MAAM,CAAC,KAAK,CAAC,OAAO,GAAG,MAAM,CAAC;QAC9B,MAAM,CAAC,YAAY,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAC3C,MAAM,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,uBAAuB,CAC3C,MAAwB;IAExB,mCAAmC;IACnC,MAAM,WAAW,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,CAAC;IAClD,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,8CAA8C;IAC9C,OAAO,wBAAwB,CAAC,MAAM,CAAC,CAAC;AAC1C,CAAC"}

package/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "@dofe/sso-browser",
+  "version": "0.1.42",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    },
+    "./sso-session": {
+      "types": "./dist/sso-session.d.ts",
+      "default": "./dist/sso-session.js"
+    }
+  },
+  "devDependencies": {
+    "rimraf": "^6.1.3",
+    "typescript": "^6.0.3"
+  },
+  "type": "commonjs",
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "dist"
+  ],
+  "license": "UNLICENSED",
+  "scripts": {
+    "build": "tsc",
+    "typecheck": "tsc --noEmit",
+    "clean": "rimraf dist"
+  }
+}