@drmhse/sso-sdk 0.3.14 → 0.5.0

package/dist/index.js

@@ -44,23 +44,38 @@ var AuthErrorCodes = /* @__PURE__ */ ((AuthErrorCodes2) => {
   AuthErrorCodes2["MFA_REQUIRED"] = "MFA_REQUIRED";
   AuthErrorCodes2["ORG_REQUIRED"] = "ORG_REQUIRED";
   AuthErrorCodes2["INVALID_CREDENTIALS"] = "INVALID_CREDENTIALS";
-  AuthErrorCodes2["TOKEN_EXPIRED"] = "TOKEN_EXPIRED";
   AuthErrorCodes2["REFRESH_TOKEN_INVALID"] = "REFRESH_TOKEN_INVALID";
+  AuthErrorCodes2["NOT_FOUND"] = "NOT_FOUND";
   AuthErrorCodes2["UNAUTHORIZED"] = "UNAUTHORIZED";
   AuthErrorCodes2["FORBIDDEN"] = "FORBIDDEN";
-  AuthErrorCodes2["NOT_FOUND"] = "NOT_FOUND";
+  AuthErrorCodes2["TOKEN_EXPIRED"] = "TOKEN_EXPIRED";
   AuthErrorCodes2["VALIDATION_ERROR"] = "VALIDATION_ERROR";
   AuthErrorCodes2["EMAIL_ALREADY_EXISTS"] = "EMAIL_ALREADY_EXISTS";
   AuthErrorCodes2["EMAIL_NOT_VERIFIED"] = "EMAIL_NOT_VERIFIED";
   AuthErrorCodes2["ACCOUNT_SUSPENDED"] = "ACCOUNT_SUSPENDED";
   AuthErrorCodes2["ORG_SUSPENDED"] = "ORG_SUSPENDED";
-  AuthErrorCodes2["RATE_LIMITED"] = "RATE_LIMITED";
-  AuthErrorCodes2["WEAK_PASSWORD"] = "WEAK_PASSWORD";
-  AuthErrorCodes2["INVALID_MFA_CODE"] = "INVALID_MFA_CODE";
+  AuthErrorCodes2["BAD_REQUEST"] = "BAD_REQUEST";
+  AuthErrorCodes2["DUPLICATE_CONSTRAINT"] = "DUPLICATE_CONSTRAINT";
+  AuthErrorCodes2["ORGANIZATION_NOT_ACTIVE"] = "ORGANIZATION_NOT_ACTIVE";
+  AuthErrorCodes2["SERVICE_LIMIT_EXCEEDED"] = "SERVICE_LIMIT_EXCEEDED";
+  AuthErrorCodes2["TEAM_LIMIT_EXCEEDED"] = "TEAM_LIMIT_EXCEEDED";
+  AuthErrorCodes2["INVITATION_EXPIRED"] = "INVITATION_EXPIRED";
   AuthErrorCodes2["LINK_EXPIRED"] = "LINK_EXPIRED";
   AuthErrorCodes2["DEVICE_CODE_EXPIRED"] = "DEVICE_CODE_EXPIRED";
   AuthErrorCodes2["AUTHORIZATION_PENDING"] = "AUTHORIZATION_PENDING";
+  AuthErrorCodes2["DEVICE_CODE_PENDING"] = "DEVICE_CODE_PENDING";
+  AuthErrorCodes2["FEATURE_NOT_AVAILABLE_IN_TIER"] = "FEATURE_NOT_AVAILABLE_IN_TIER";
+  AuthErrorCodes2["RATE_LIMITED"] = "RATE_LIMITED";
+  AuthErrorCodes2["TOO_MANY_REQUESTS"] = "TOO_MANY_REQUESTS";
+  AuthErrorCodes2["WEAK_PASSWORD"] = "WEAK_PASSWORD";
+  AuthErrorCodes2["INVALID_MFA_CODE"] = "INVALID_MFA_CODE";
+  AuthErrorCodes2["JWT_ERROR"] = "JWT_ERROR";
+  AuthErrorCodes2["INTERNAL_SERVER_ERROR"] = "INTERNAL_SERVER_ERROR";
+  AuthErrorCodes2["OAUTH_ERROR"] = "OAUTH_ERROR";
   AuthErrorCodes2["PASSKEY_ERROR"] = "PASSKEY_ERROR";
+  AuthErrorCodes2["STRIPE_ERROR"] = "STRIPE_ERROR";
+  AuthErrorCodes2["DATABASE_ERROR"] = "DATABASE_ERROR";
+  AuthErrorCodes2["GENERIC_ERROR"] = "GENERIC_ERROR";
   return AuthErrorCodes2;
 })(AuthErrorCodes || {});
 var SsoApiError = class _SsoApiError extends Error {
@@ -270,10 +285,13 @@ var HttpClient = class {
   /**
    * DELETE request
    */
-  async delete(path, config) {
+  async delete(path, data, config) {
+    const requestConfig = data && typeof data === "object" && "headers" in data && !config ? data : config;
+    const body = requestConfig === data ? void 0 : data;
     return this.request(path, {
       method: "DELETE",
-      headers: config?.headers
+      body,
+      headers: requestConfig?.headers
     });
   }
 };
@@ -856,7 +874,7 @@ var AuthModule = class {
   }
   /**
    * Login with email and password.
-   * Automatically persists the session and configures the client.
+   * Automatically persists the session once authentication is complete.
    *
    * @param payload Login credentials (email and password)
    * @returns Access token, refresh token, and expiration info
@@ -867,15 +885,17 @@ var AuthModule = class {
    *   email: 'user@example.com',
    *   password: 'SecurePassword123!'
    * });
-   * // Session is automatically saved - no need for manual token management
+   * // Session is automatically saved unless MFA is required
    * ```
    */
   async login(payload) {
     const response = await this.http.post("/api/auth/login", payload);
-    await this.session.setSession({
-      access_token: response.data.access_token,
-      refresh_token: response.data.refresh_token
-    });
+    if (response.data.refresh_token) {
+      await this.session.setSession({
+        access_token: response.data.access_token,
+        refresh_token: response.data.refresh_token
+      });
+    }
     return response.data;
   }
   /**
@@ -1004,6 +1024,20 @@ var AuthModule = class {
     });
     return response.data;
   }
+  /**
+   * Fetch public hosted-auth context for an organization/service login.
+   */
+  async getContext(params = {}) {
+    const searchParams = new URLSearchParams();
+    if (params.org) searchParams.append("org", params.org);
+    if (params.service) searchParams.append("service", params.service);
+    if (params.redirect_uri) searchParams.append("redirect_uri", params.redirect_uri);
+    const query = searchParams.toString();
+    const response = await this.http.get(
+      `/api/auth/context${query ? `?${query}` : ""}`
+    );
+    return response.data;
+  }
 };
 
 // src/modules/user.ts
@@ -1058,6 +1092,41 @@ var IdentitiesModule = class {
     await this.http.delete(`/api/user/identities/${provider}`);
   }
 };
+var LinkedAccountsModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async list() {
+    const response = await this.http.get("/api/user/linked-accounts");
+    return response.data;
+  }
+  async startLink(provider) {
+    const response = await this.http.post(`/api/user/linked-accounts/${provider}/link`, {});
+    return response.data;
+  }
+  async grant(accountId, payload) {
+    const response = await this.http.post(`/api/user/linked-accounts/${accountId}/grants`, payload);
+    return response.data;
+  }
+  async revokeGrant(accountId, serviceId) {
+    await this.http.delete(`/api/user/linked-accounts/${accountId}/grants/${serviceId}`);
+  }
+  async unlink(accountId) {
+    await this.http.delete(`/api/user/linked-accounts/${accountId}`);
+  }
+  async getProviderTokenRequest(state) {
+    const response = await this.http.get(`/api/user/provider-token-requests/${state}`);
+    return response.data;
+  }
+  async completeProviderTokenRequest(state, payload = {}) {
+    const response = await this.http.post(`/api/user/provider-token-requests/${state}/complete`, payload);
+    return response.data;
+  }
+  async startProviderTokenRequestLink(state) {
+    const response = await this.http.post(`/api/user/provider-token-requests/${state}/link`, {});
+    return response.data;
+  }
+};
 var MfaModule = class {
   constructor(http) {
     this.http = http;
@@ -1259,6 +1328,7 @@ var UserModule = class {
   constructor(http) {
     this.http = http;
     this.identities = new IdentitiesModule(http);
+    this.linkedAccounts = new LinkedAccountsModule(http);
     this.mfa = new MfaModule(http);
     this.devices = new DevicesModule(http);
   }
@@ -1629,6 +1699,76 @@ var WebhooksModule = class {
   }
 };
 
+// src/modules/organizations/upstream-providers.ts
+var UpstreamProvidersModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * List all upstream providers for an organization.
+   *
+   * @param orgSlug Organization slug
+   * @returns Array of upstream providers
+   */
+  async list(orgSlug) {
+    const response = await this.http.get(
+      `/api/organizations/${orgSlug}/upstream-providers`
+    );
+    return response.data;
+  }
+  /**
+   * Get a specific upstream provider.
+   *
+   * @param orgSlug Organization slug
+   * @param providerId Provider ID or connection_id
+   * @returns Upstream provider details
+   */
+  async get(orgSlug, providerId) {
+    const response = await this.http.get(
+      `/api/organizations/${orgSlug}/upstream-providers/${providerId}`
+    );
+    return response.data;
+  }
+  /**
+   * Create a new upstream provider.
+   *
+   * @param orgSlug Organization slug
+   * @param payload Provider configuration
+   * @returns Created upstream provider
+   */
+  async create(orgSlug, payload) {
+    const response = await this.http.post(
+      `/api/organizations/${orgSlug}/upstream-providers`,
+      payload
+    );
+    return response.data;
+  }
+  /**
+   * Update an existing upstream provider.
+   *
+   * @param orgSlug Organization slug
+   * @param providerId Provider ID or connection_id
+   * @param payload Update payload
+   * @returns Updated upstream provider
+   */
+  async update(orgSlug, providerId, payload) {
+    const response = await this.http.patch(
+      `/api/organizations/${orgSlug}/upstream-providers/${providerId}`,
+      payload
+    );
+    return response.data;
+  }
+  /**
+   * Delete an upstream provider.
+   *
+   * @param orgSlug Organization slug
+   * @param providerId Provider ID or connection_id
+   */
+  async delete(orgSlug, providerId) {
+    await this.http.delete(`/api/organizations/${orgSlug}/upstream-providers/${providerId}`);
+  }
+};
+
 // src/modules/organizations.ts
 var OrganizationsModule = class {
   constructor(http) {
@@ -1708,7 +1848,9 @@ var OrganizationsModule = class {
           payload
         );
         const invitation = response.data;
-        await this.http.post("/api/invitations/accept", { token: invitation.token });
+        await this.http.post(
+          `/api/organizations/${orgSlug}/invitations/${invitation.id}/accept`
+        );
         return invitation;
       },
       /**
@@ -1749,6 +1891,25 @@ var OrganizationsModule = class {
       remove: async (orgSlug, userId) => {
         await this.http.post(`/api/organizations/${orgSlug}/members/${userId}`);
       },
+      /**
+       * List a member's direct per-service access grants.
+       */
+      listServiceAccess: async (orgSlug, userId) => {
+        const response = await this.http.get(
+          `/api/organizations/${orgSlug}/members/${userId}/service-access`
+        );
+        return response.data;
+      },
+      /**
+       * Replace a member's direct per-service access grants.
+       */
+      updateServiceAccess: async (orgSlug, userId, payload) => {
+        const response = await this.http.put(
+          `/api/organizations/${orgSlug}/members/${userId}/service-access`,
+          payload
+        );
+        return response.data;
+      },
       /**
        * Transfer organization ownership to another member.
        * Requires 'owner' role.
@@ -2313,6 +2474,7 @@ var OrganizationsModule = class {
     };
     this.auditLogs = new AuditLogsModule(http);
     this.webhooks = new WebhooksModule(http);
+    this.upstreamProviders = new UpstreamProvidersModule(http);
   }
   /**
    * Create a new organization (requires authentication).
@@ -3177,13 +3339,12 @@ var ServicesModule = class {
    *
    * @param orgSlug Organization slug
    * @param serviceSlug Service slug
-   * @returns Service with provider grants and plans
+   * @returns Service details
    *
    * @example
    * ```typescript
    * const service = await sso.services.get('acme-corp', 'main-app');
-   * console.log(service.service.redirect_uris);
-   * console.log(service.plans);
+   * console.log(service.name, service.client_id);
    * ```
    */
   async get(orgSlug, serviceSlug) {
@@ -3231,6 +3392,17 @@ var ServicesModule = class {
   async delete(orgSlug, serviceSlug) {
     await this.http.delete(`/api/organizations/${orgSlug}/services/${serviceSlug}`);
   }
+  /**
+   * Rotate a service client secret.
+   * The new secret is returned once and cannot be retrieved later.
+   */
+  async rotateSecret(orgSlug, serviceSlug) {
+    const response = await this.http.post(
+      `/api/organizations/${orgSlug}/services/${serviceSlug}/secret/rotate`,
+      {}
+    );
+    return response.data;
+  }
 };
 
 // src/modules/invitations.ts
@@ -3326,6 +3498,14 @@ var InvitationsModule = class {
     const payload = { token };
     await this.http.post("/api/invitations/accept", payload);
   }
+  /**
+   * Accept one of the current user's invitations by invitation ID.
+   *
+   * @param invitationId Invitation ID
+   */
+  async acceptById(invitationId) {
+    await this.http.post(`/api/invitations/${invitationId}/accept`);
+  }
   /**
    * Decline an invitation using its token.
    *
@@ -3340,6 +3520,14 @@ var InvitationsModule = class {
     const payload = { token };
     await this.http.post("/api/invitations/decline", payload);
   }
+  /**
+   * Decline one of the current user's invitations by invitation ID.
+   *
+   * @param invitationId Invitation ID
+   */
+  async declineById(invitationId) {
+    await this.http.post(`/api/invitations/${invitationId}/decline`);
+  }
 };
 
 // src/modules/platform.ts
@@ -3560,6 +3748,13 @@ var PlatformModule = class {
         const response = await this.http.get("/api/platform/users", { params: options });
         return response.data;
       },
+      /**
+       * Get a single platform user by ID.
+       */
+      get: async (userId) => {
+        const response = await this.http.get(`/api/platform/users/${userId}`);
+        return response.data;
+      },
       /**
        * Search users by email address or user ID.
        *
@@ -3818,6 +4013,13 @@ var PlatformModule = class {
     const response = await this.http.post("/api/platform/impersonate", payload);
     return response.data;
   }
+  /**
+   * Get platform operational counters for jobs, webhooks, and SIEM delivery.
+   */
+  async getOperationsStatus() {
+    const response = await this.http.get("/api/platform/operations/status");
+    return response.data;
+  }
 };
 
 // src/modules/serviceApi.ts
@@ -3897,6 +4099,17 @@ var ServiceApiModule = class {
     const response = await this.http.get("/api/service/info");
     return response.data;
   }
+  /**
+   * Request a backend-only third-party provider access token for an AuthOS user.
+   * Requires `read:provider_tokens` or `read:provider_tokens:{provider}` on the API key.
+   */
+  async requestProviderToken(request) {
+    const response = await this.http.post("/api/service/provider-tokens", {
+      ...request,
+      scopes: request.scopes ?? []
+    });
+    return response.data;
+  }
   /**
    * Create a new user
    * Requires 'write:users' permission on the API key
@@ -4331,6 +4544,29 @@ var PasskeysModule = class {
     );
     return response.data;
   }
+  /**
+   * List registered passkeys for the authenticated user.
+   */
+  async list() {
+    const response = await this.http.get("/api/auth/passkeys");
+    return response.data;
+  }
+  /**
+   * Rename a passkey for the authenticated user.
+   */
+  async updateName(passkeyId, name) {
+    const response = await this.http.patch(`/api/auth/passkeys/${passkeyId}`, {
+      name
+    });
+    return response.data;
+  }
+  /**
+   * Delete a passkey for the authenticated user.
+   */
+  async delete(passkeyId) {
+    const response = await this.http.delete(`/api/auth/passkeys/${passkeyId}`);
+    return response.data;
+  }
   /**
    * Finish the passkey registration ceremony.
    * Verifies the credential created by the browser.
@@ -4416,10 +4652,10 @@ var PasskeysModule = class {
    * Start the passkey authentication ceremony.
    * Returns the options required to get credentials from the browser.
    */
-  async authenticateStart(email) {
+  async authenticateStart(email, context) {
     const response = await this.http.post(
       "/api/auth/passkeys/authenticate/start",
-      { email }
+      { email, ...context }
     );
     return response.data;
   }
@@ -4441,11 +4677,11 @@ var PasskeysModule = class {
    * Authenticate with a passkey and obtain a JWT token
    * ...
    */
-  async login(email) {
+  async login(email, context) {
     if (!this.isSupported()) {
       throw new Error("WebAuthn is not supported in this browser");
     }
-    const startData = await this.authenticateStart(email);
+    const startData = await this.authenticateStart(email, context);
     const getOptions = {
       publicKey: {
         ...startData.options,
@@ -4516,7 +4752,10 @@ var MagicLinks = class {
    * @returns Promise resolving to magic link response
    */
   async request(data) {
-    const response = await this.http.post("/api/auth/magic-link/request", data);
+    const response = await this.http.post("/api/auth/magic-link/request", {
+      ...data,
+      org_slug: data.org_slug || data.orgSlug
+    });
     return response.data;
   }
   /**
@@ -4548,7 +4787,8 @@ var MagicLinks = class {
     if (redirectUri) {
       params.append("redirect_uri", redirectUri);
     }
-    return this.http.get(`/api/auth/magic-link/verify?${params.toString()}`);
+    const response = await this.http.get(`/api/auth/magic-link/verify?${params.toString()}`);
+    return response.data;
   }
   /**
    * Construct the complete magic link URL that would be sent via email
@@ -4605,8 +4845,11 @@ var PrivacyModule = class {
    * // "User data has been anonymized. PII has been removed while preserving audit logs."
    * ```
    */
-  async forgetUser(userId) {
-    const response = await this.http.delete(`/api/privacy/forget/${userId}`);
+  async forgetUser(userId, payload = {}) {
+    const response = await this.http.delete(
+      `/api/privacy/forget/${userId}`,
+      payload
+    );
     return response.data;
   }
 };