@eazo/sdk 0.4.0

package/PROTOCOL.md

@@ -0,0 +1,134 @@
+# Eazo SDK Protocol (v1)
+
+This document specifies the `postMessage` protocol between an Eazo app (web) and its host (Eazo Mobile WebView, or an iframe embed). `@eazo/sdk` is the reference implementation on the app side; host implementations (mobile, backend-driven embed) must conform to this spec.
+
+## Transport
+
+- Channel: `eazo-sdk`
+- Version: `1`
+- Encoding: JSON string
+- App → host: `window.ReactNativeWebView.postMessage(payload)` (RN WebView) or `window.parent.postMessage(payload, "*")` (iframe)
+- Host → app: environment-specific `postMessage` dispatch
+
+Every envelope carries `ch: "eazo-sdk"` and `v: 1`. Messages that don't match are silently ignored — the SDK and host must co-exist with other libraries that also use `postMessage`.
+
+## Envelope types
+
+```ts
+type Envelope =
+  | Ready           // app → host
+  | Hello           // host → app  (in response to Ready)
+  | Request         // app → host
+  | Response        // host → app  (in response to Request)
+  | Event;          // host → app  (unsolicited)
+
+interface Ready      { ch: "eazo-sdk"; v: 1; t: "ready"; }
+
+interface Hello {
+  ch: "eazo-sdk"; v: 1; t: "hello";
+  session:       { authenticated: boolean; user: User | null; token: string | null };
+  device:        DeviceContext;
+  capabilities:  string[];   // e.g. ["auth.*", "device.getContext", "storage.get"]
+}
+
+interface Request    { ch: "eazo-sdk"; v: 1; t: "req"; id: string; fn: string; args?: unknown; }
+
+interface ResponseOk { ch: "eazo-sdk"; v: 1; t: "res"; id: string; ok: true;  data?: unknown; }
+interface ResponseErr{ ch: "eazo-sdk"; v: 1; t: "res"; id: string; ok: false; err: BridgeError; }
+
+interface Event      { ch: "eazo-sdk"; v: 1; t: "evt"; name: string; data?: unknown; }
+
+interface BridgeError {
+  code: "NOT_SUPPORTED" | "TIMEOUT" | "DENIED" | "INVALID_ARGS" | "INTERNAL";
+  message: string;
+}
+```
+
+## Handshake
+
+1. App mounts → sends `{ t: "ready" }`
+2. Host responds with `{ t: "hello", session, device, capabilities }`
+3. App caches the hello payload as initial state; subsequent RPCs and events apply to this cache
+4. If the app does not receive `hello` within **1.5 s**, it enters pure-web mode (no further requests are sent)
+
+## RPC
+
+- `id` is app-generated, unique per session (UUID or counter)
+- Response MUST echo the same `id`
+- Timeout: **10 s** — if no response arrives, the app throws `TIMEOUT`
+
+## Method and event naming
+
+- Method names (`fn`): `<capability>.<action>`; action is camelCase
+  - Examples: `auth.getToken`, `auth.getSession`, `device.getContext`, `storage.get`
+- Event names (`name`): `<capability>.<event>`; past tense or state descriptor
+  - Examples: `auth.changed`, `device.safeArea.changed`
+
+## Capability advertisement
+
+Host declares which functions it supports in `hello.capabilities`. Format:
+
+- `auth.*` — all `auth.<anything>` supported
+- `auth.getToken` — only this specific method
+
+The app checks this list before sending a request; unsupported methods fail immediately with `NOT_SUPPORTED` (app then falls back to web-native behavior).
+
+## Error semantics
+
+| Code | Meaning | App behavior |
+|---|---|---|
+| `NOT_SUPPORTED` | Method not advertised in `capabilities` | Fall back to web-native |
+| `TIMEOUT` | No response in 10 s | Fall back to web-native |
+| `DENIED` | Host / user refused (permission, policy) | Surface to business code |
+| `INVALID_ARGS` | Request args failed validation | Surface to business code |
+| `INTERNAL` | Host error | Log + surface |
+
+## First-version method and event catalog
+
+### Methods
+
+| `fn` | `args` | `data` | Notes |
+|---|---|---|---|
+| `auth.getToken` | — | `{ token: string \| null }` | Current session token |
+| `auth.getSession` | — | `{ session: SessionToken \| null }` | Raw encrypted session (`x-eazo-session` payload) |
+| `auth.requestLogin` | `{ preferredProvider?: string }` (optional) | `{ started: boolean }` | Host should display its native login UI and return promptly (don't block on user). The SDK then waits for `auth.changed` (success) or `auth.loginCancelled` (dismiss). If the host can't show native UI, respond `NOT_SUPPORTED` — SDK falls back to the web login UI inside the WebView. |
+| `device.getContext` | — | `DeviceContext` | Usually unused — hello already contains this |
+
+### Events
+
+| `name` | `data` | Trigger |
+|---|---|---|
+| `auth.changed` | `{ authenticated, user, token }` | Login, logout, account switch |
+| `auth.loginCancelled` | — (optional `{ reason?: string }`) | User dismissed the native login UI without authenticating. Causes the app's in-flight `auth.login()` to reject with `DENIED`. |
+| `device.safeArea.changed` | `{ top?, bottom? }` | Keyboard / orientation |
+
+## Version evolution
+
+- **Breaking change** → bump `v`; host replies `NOT_SUPPORTED` if mismatched
+- **New capability** → append to `capabilities` only; v stays
+- **Method arg change** → new fields optional (backward-compatible); incompatible changes use a new method name
+
+## Minimal host implementation
+
+```ts
+window.addEventListener("message", (e) => {
+  const msg = typeof e.data === "string" ? JSON.parse(e.data) : e.data;
+  if (msg?.ch !== "eazo-sdk" || msg.v !== 1) return;
+
+  if (msg.t === "ready") {
+    send({
+      ch: "eazo-sdk", v: 1, t: "hello",
+      session: { authenticated: true, user, token },
+      device: { platform: "mobile", locale: "zh-CN",
+                safeArea: { top: 44, bottom: 34 }, backendUrl: "https://api.eazo.ai" },
+      capabilities: ["auth.*"],
+    });
+  }
+
+  if (msg.t === "req" && msg.fn === "auth.getToken") {
+    send({ ch: "eazo-sdk", v: 1, t: "res", id: msg.id, ok: true, data: { token } });
+  }
+});
+```
+
+Hosts that don't implement an advertised method must respond with `ok: false, err: { code: "NOT_SUPPORTED", ... }`.

package/README.md

@@ -0,0 +1,163 @@
+# @eazo/sdk
+
+Capability-first SDK for web apps that run both on a standard browser and inside the Eazo Mobile WebView. Write one codebase; the SDK picks the right implementation for the runtime.
+
+## Install
+
+```bash
+npm install @eazo/sdk
+```
+
+## Quick start
+
+```tsx
+// app/layout.tsx
+import { EazoProvider } from "@eazo/sdk/react";
+
+export default function RootLayout({ children }: { children: React.ReactNode }) {
+  return <EazoProvider>{children}</EazoProvider>;
+}
+```
+
+```tsx
+// Any component
+import { auth } from "@eazo/sdk";
+import { useEazo } from "@eazo/sdk/react";
+
+export function Header() {
+  const user = useEazo((s) => s.auth.user);
+  if (!user) return <button onClick={() => auth.loginWithSocial("google")}>Sign in</button>;
+  return <span>Hi, {user.name}</span>;
+}
+```
+
+## API
+
+### `auth`
+
+```ts
+import { auth } from "@eazo/sdk";
+
+auth.user                                   // User | null
+auth.loading                                // boolean
+auth.authenticated                          // boolean
+auth.loginUIOpen                            // boolean (web login UI)
+await auth.getToken()                       // string | null
+auth.onChange((user) => { ... })            // () => void (unsubscribe)
+
+// One-stop login — handles every runtime and idempotent if already signed in.
+const user = await auth.login()             // User
+await auth.login({ timeoutMs: 120_000 })    // custom timeout (default: 5 min)
+auth.showLogin()                            // imperative open (no await)
+auth.hideLogin()                            // imperative close (rejects pending login())
+
+// Low-level login primitives (rarely needed; `login()` orchestrates these).
+await auth.loginWithSocial("google")
+await auth.loginWithEmailPassword(email, password)
+await auth.loginWithEmailCode(email, code)
+await auth.sendEmailCode(email)
+await auth.logout()
+
+auth.fetchSocialConnections()               // SocialConnection[]
+auth.configure({ publicKey: "..." })        // set developer public key
+```
+
+By default the SDK reads `NEXT_PUBLIC_EAZO_PUBLIC_KEY` from the environment. Call `auth.configure({ publicKey })` if you need to set it explicitly.
+
+#### `auth.login()` — unified login flow
+
+`auth.login()` is the canonical way to sign a user in. It:
+
+1. Returns the current user immediately if already authenticated (idempotent).
+2. On Eazo Mobile (host advertises `auth.requestLogin`), delegates to the native host login UI.
+3. Otherwise, shows the SDK-bundled login modal (social providers + email / code / password).
+
+```tsx
+<button onClick={async () => {
+  await auth.login();
+  doSomethingProtected();
+}}>
+  Do something
+</button>
+```
+
+It rejects with `DENIED` if the user cancels, or `TIMEOUT` after 5 minutes of inactivity (configurable via `timeoutMs`).
+
+### `device`
+
+```ts
+import { device } from "@eazo/sdk";
+
+device.platform                             // 'web' | 'mobile'
+device.locale                               // 'zh-CN' | ...
+device.safeArea                             // { top: number; bottom: number }
+device.backendUrl                           // '' when running web-only
+device.getContext()                         // full DeviceContext
+```
+
+### React integration
+
+```ts
+import { EazoProvider, useEazo } from "@eazo/sdk/react";
+```
+
+Rule: inside React render, read reactive state via `useEazo(selector)`. Outside render (event handlers, effects, non-React code), read directly from `auth.xxx` / `device.xxx`.
+
+```tsx
+const user = useEazo((s) => s.auth.user);
+const { platform, safeArea } = useEazo((s) => s.device);
+```
+
+### Server (Next.js route handler)
+
+```ts
+import { requireAuth } from "@eazo/sdk/server";
+
+export function GET(req: NextRequest) {
+  const r = requireAuth(req);
+  if (!r.ok) return r.response;
+  // r.user: User
+}
+```
+
+Requires `EAZO_PRIVATE_KEY` in the server environment.
+
+### Testing
+
+```ts
+import { __resetSDK, __dispatchHostMessage } from "@eazo/sdk/testing";
+
+afterEach(() => __resetSDK());
+```
+
+## Types
+
+```ts
+interface User {
+  id: string;
+  email: string | null;
+  name: string | null;
+  avatarUrl: string | null;
+}
+
+interface DeviceContext {
+  platform: "web" | "mobile";
+  locale: string;
+  safeArea: { top: number; bottom: number };
+  backendUrl: string;
+}
+```
+
+## How it works
+
+The SDK talks to the Eazo Mobile host over `postMessage` using the protocol documented in [PROTOCOL.md](./PROTOCOL.md). When no host responds within 1.5 seconds, the SDK falls back to web-native implementations (GenAuth for login, `localStorage` for session, `navigator.language` for locale).
+
+App code never branches on environment — the capability API is the same on both platforms.
+
+## Environment
+
+| Variable | Required | Used by |
+|---|---|---|
+| `NEXT_PUBLIC_EAZO_PUBLIC_KEY` | web login | `auth.loginWith*` |
+| `NEXT_PUBLIC_EAZO_API_URL` | optional | default `backendUrl` when web-only |
+| `EAZO_PRIVATE_KEY` | server | `requireAuth` |

package/dist/index.d.ts

@@ -0,0 +1,5 @@
+export { auth } from "./internal/capabilities/auth";
+export { device } from "./internal/capabilities/device";
+export type { LoginOptions } from "./internal/capabilities/auth";
+export type { User, DeviceContext, AuthState, EazoState } from "./types";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,8BAA8B,CAAC;AACpD,OAAO,EAAE,MAAM,EAAE,MAAM,gCAAgC,CAAC;AAExD,YAAY,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AACjE,YAAY,EAAE,IAAI,EAAE,aAAa,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC"}

package/dist/index.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.device = exports.auth = void 0;
+var auth_1 = require("./internal/capabilities/auth");
+Object.defineProperty(exports, "auth", { enumerable: true, get: function () { return auth_1.auth; } });
+var device_1 = require("./internal/capabilities/device");
+Object.defineProperty(exports, "device", { enumerable: true, get: function () { return device_1.device; } });
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAAA,qDAAoD;AAA3C,4FAAA,IAAI,OAAA;AACb,yDAAwD;AAA/C,gGAAA,MAAM,OAAA"}

package/dist/internal/auth-primitive/EazoAuthClient.d.ts

@@ -0,0 +1,35 @@
+import { AuthenticationClient } from "authing-js-sdk";
+import type { EazoAuthClientConfig, SessionToken, SocialConnection } from "./types";
+/**
+ * Browser-side auth primitive. Wraps GenAuth (Authing) to exchange a JWT for
+ * an encrypted SessionToken (same shape produced by Eazo Mobile).
+ *
+ * The SDK's `auth` capability wraps this; app code should go through that
+ * capability (auth.loginWithSocial / loginWithEmailPassword / loginWithEmailCode)
+ * rather than using EazoAuthClient directly.
+ */
+export declare class EazoAuthClient {
+    private readonly publicKey;
+    private readonly authAppId;
+    private readonly authAppDomain;
+    private readonly apiBase;
+    private _authingClient;
+    constructor(config: EazoAuthClientConfig);
+    /**
+     * Exchanges a GenAuth JWT for an encrypted session token.
+     * The resulting token has the same shape as Eazo Mobile's session,
+     * so the server always decrypts it with EAZO_PRIVATE_KEY.
+     */
+    private _getSessionToken;
+    /** Initiates a social login popup and returns an encrypted session token. */
+    loginWithSocial(extIdpIdentifier: string): Promise<SessionToken>;
+    /** Logs in with email + password and returns an encrypted session token. */
+    loginWithEmailPassword(email: string, password: string): Promise<SessionToken>;
+    /** Logs in with email + verification code and returns an encrypted session token. */
+    loginWithEmailCode(email: string, code: string): Promise<SessionToken>;
+    /** Sends an email verification code for login. */
+    sendEmailCode(email: string): Promise<void>;
+    getAuthingClient(): AuthenticationClient;
+    fetchSocialConnections(): Promise<SocialConnection[]>;
+}
+//# sourceMappingURL=EazoAuthClient.d.ts.map

package/dist/internal/auth-primitive/EazoAuthClient.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"EazoAuthClient.d.ts","sourceRoot":"","sources":["../../../src/internal/auth-primitive/EazoAuthClient.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAc,MAAM,gBAAgB,CAAC;AAElE,OAAO,KAAK,EAAE,oBAAoB,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAMpF;;;;;;;GAOG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IAEjC,OAAO,CAAC,cAAc,CAAqC;gBAE/C,MAAM,EAAE,oBAAoB;IAQxC;;;;OAIG;YACW,gBAAgB;IAkB9B,6EAA6E;IAC7E,eAAe,CAAC,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAqBhE,4EAA4E;IACtE,sBAAsB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAUpF,qFAAqF;IAC/E,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAU5E,kDAAkD;IAC5C,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjD,gBAAgB,IAAI,oBAAoB;IASlC,sBAAsB,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;CAS5D"}

package/dist/internal/auth-primitive/EazoAuthClient.js

@@ -0,0 +1,107 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EazoAuthClient = void 0;
+const authing_js_sdk_1 = require("authing-js-sdk");
+const DEFAULT_AUTH_APP_ID = "6972f32040acf5801552404b";
+const DEFAULT_AUTH_APP_DOMAIN = "https://eazo.genauth.ai";
+const DEFAULT_API_BASE = "https://eazo.ai";
+/**
+ * Browser-side auth primitive. Wraps GenAuth (Authing) to exchange a JWT for
+ * an encrypted SessionToken (same shape produced by Eazo Mobile).
+ *
+ * The SDK's `auth` capability wraps this; app code should go through that
+ * capability (auth.loginWithSocial / loginWithEmailPassword / loginWithEmailCode)
+ * rather than using EazoAuthClient directly.
+ */
+class EazoAuthClient {
+    constructor(config) {
+        this._authingClient = null;
+        if (!config.publicKey)
+            throw new Error("@eazo/sdk: publicKey is required");
+        this.publicKey = config.publicKey;
+        this.authAppId = config.authAppId ?? DEFAULT_AUTH_APP_ID;
+        this.authAppDomain = config.authAppDomain ?? DEFAULT_AUTH_APP_DOMAIN;
+        this.apiBase = config.apiBase ?? DEFAULT_API_BASE;
+    }
+    /**
+     * Exchanges a GenAuth JWT for an encrypted session token.
+     * The resulting token has the same shape as Eazo Mobile's session,
+     * so the server always decrypts it with EAZO_PRIVATE_KEY.
+     */
+    async _getSessionToken(jwt) {
+        const res = await fetch(`${this.apiBase}/api/open/app-session-token`, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                "Authorization": `Bearer ${jwt}`,
+            },
+            body: JSON.stringify({ publicKey: this.publicKey }),
+        });
+        if (!res.ok) {
+            throw new Error(`Failed to get session token: ${res.status}`);
+        }
+        const json = await res.json();
+        return json.data;
+    }
+    /** Initiates a social login popup and returns an encrypted session token. */
+    loginWithSocial(extIdpIdentifier) {
+        return new Promise((resolve, reject) => {
+            const client = this.getAuthingClient();
+            client.social.authorize(extIdpIdentifier, {
+                onSuccess: async (profile) => {
+                    try {
+                        const p = profile;
+                        const jwt = (p.token ?? p.id_token);
+                        if (!jwt)
+                            throw new Error("Social login succeeded but no token received");
+                        resolve(await this._getSessionToken(jwt));
+                    }
+                    catch (err) {
+                        reject(err);
+                    }
+                },
+                onError: (code, message) => {
+                    reject(new Error(message || `Social login failed (${code})`));
+                },
+            });
+        });
+    }
+    /** Logs in with email + password and returns an encrypted session token. */
+    async loginWithEmailPassword(email, password) {
+        const result = (await this.getAuthingClient().loginByEmail(email, password));
+        const jwt = (result.token ?? result.id_token);
+        if (!jwt)
+            throw new Error("Login succeeded but no token received");
+        return this._getSessionToken(jwt);
+    }
+    /** Logs in with email + verification code and returns an encrypted session token. */
+    async loginWithEmailCode(email, code) {
+        const result = (await this.getAuthingClient().loginByEmailCode(email, code));
+        const jwt = (result.token ?? result.id_token);
+        if (!jwt)
+            throw new Error("Login succeeded but no token received");
+        return this._getSessionToken(jwt);
+    }
+    /** Sends an email verification code for login. */
+    async sendEmailCode(email) {
+        await this.getAuthingClient().sendEmail(email, authing_js_sdk_1.EmailScene.LOGIN_VERIFY_CODE);
+    }
+    getAuthingClient() {
+        if (this._authingClient)
+            return this._authingClient;
+        this._authingClient = new authing_js_sdk_1.AuthenticationClient({
+            appId: this.authAppId,
+            appHost: this.authAppDomain,
+        });
+        return this._authingClient;
+    }
+    async fetchSocialConnections() {
+        const res = await fetch(`${this.authAppDomain}/api/v2/applications/${this.authAppId}/public-config`, { next: { revalidate: 3600 } });
+        if (!res.ok)
+            throw new Error(`Failed to fetch GenAuth public config: ${res.status}`);
+        const json = await res.json();
+        return json.data.socialConnections;
+    }
+}
+exports.EazoAuthClient = EazoAuthClient;
+//# sourceMappingURL=EazoAuthClient.js.map

package/dist/internal/auth-primitive/EazoAuthClient.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"EazoAuthClient.js","sourceRoot":"","sources":["../../../src/internal/auth-primitive/EazoAuthClient.ts"],"names":[],"mappings":";;;AAAA,mDAAkE;AAIlE,MAAM,mBAAmB,GAAO,0BAA0B,CAAC;AAC3D,MAAM,uBAAuB,GAAG,yBAAyB,CAAC;AAC1D,MAAM,gBAAgB,GAAU,iBAAiB,CAAC;AAElD;;;;;;;GAOG;AACH,MAAa,cAAc;IAQzB,YAAY,MAA4B;QAFhC,mBAAc,GAAgC,IAAI,CAAC;QAGzD,IAAI,CAAC,MAAM,CAAC,SAAS;YAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QAC3E,IAAI,CAAC,SAAS,GAAO,MAAM,CAAC,SAAS,CAAC;QACtC,IAAI,CAAC,SAAS,GAAO,MAAM,CAAC,SAAS,IAAQ,mBAAmB,CAAC;QACjE,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,IAAI,uBAAuB,CAAC;QACrE,IAAI,CAAC,OAAO,GAAS,MAAM,CAAC,OAAO,IAAU,gBAAgB,CAAC;IAChE,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,gBAAgB,CAAC,GAAW;QACxC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,6BAA6B,EAAE;YACpE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,eAAe,EAAE,UAAU,GAAG,EAAE;aACjC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC;SACpD,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,gCAAgC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA4B,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAED,6EAA6E;IAC7E,eAAe,CAAC,gBAAwB;QACtC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,MAAM,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACvC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,gBAAgB,EAAE;gBACxC,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;oBAC3B,IAAI,CAAC;wBACH,MAAM,CAAC,GAAG,OAA6C,CAAC;wBACxD,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,QAAQ,CAAuB,CAAC;wBAC1D,IAAI,CAAC,GAAG;4BAAE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;wBAC1E,OAAO,CAAC,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC;oBAC5C,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,MAAM,CAAC,GAAG,CAAC,CAAC;oBACd,CAAC;gBACH,CAAC;gBACD,OAAO,EAAE,CAAC,IAAY,EAAE,OAAe,EAAE,EAAE;oBACzC,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,IAAI,wBAAwB,IAAI,GAAG,CAAC,CAAC,CAAC;gBAChE,CAAC;aACF,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED,4EAA4E;IAC5E,KAAK,CAAC,sBAAsB,CAAC,KAAa,EAAE,QAAgB;QAC1D,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC,YAAY,CACxD,KAAK,EACL,QAAQ,CACT,CAAuC,CAAC;QACzC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,QAAQ,CAAuB,CAAC;QACpE,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QACnE,OAAO,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC;IAED,qFAAqF;IACrF,KAAK,CAAC,kBAAkB,CAAC,KAAa,EAAE,IAAY;QAClD,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC,gBAAgB,CAC5D,KAAK,EACL,IAAI,CACL,CAAuC,CAAC;QACzC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,QAAQ,CAAuB,CAAC;QACpE,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QACnE,OAAO,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC;IAED,kDAAkD;IAClD,KAAK,CAAC,aAAa,CAAC,KAAa;QAC/B,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC,SAAS,CAAC,KAAK,EAAE,2BAAU,CAAC,iBAAiB,CAAC,CAAC;IAC/E,CAAC;IAED,gBAAgB;QACd,IAAI,IAAI,CAAC,cAAc;YAAE,OAAO,IAAI,CAAC,cAAc,CAAC;QACpD,IAAI,CAAC,cAAc,GAAG,IAAI,qCAAoB,CAAC;YAC7C,KAAK,EAAI,IAAI,CAAC,SAAS;YACvB,OAAO,EAAE,IAAI,CAAC,aAAa;SAC5B,CAAC,CAAC;QACH,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,sBAAsB;QAC1B,MAAM,GAAG,GAAG,MAAM,KAAK,CACrB,GAAG,IAAI,CAAC,aAAa,wBAAwB,IAAI,CAAC,SAAS,gBAAgB,EAC3E,EAAE,IAAI,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,EAAiB,CAC9C,CAAC;QACF,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACrF,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAyD,CAAC;QACrF,OAAO,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC;IACrC,CAAC;CACF;AA1GD,wCA0GC"}

package/dist/internal/auth-primitive/EazoAuthServer.d.ts

@@ -0,0 +1,18 @@
+import type { EazoAuthServerConfig, SessionToken, UserInfo } from "./types";
+/**
+ * Server-side auth verifier. Decrypts an encrypted session token (produced by
+ * the Eazo Mobile bridge or the /api/open/app-session-token exchange) using
+ * EAZO_PRIVATE_KEY. Both Mobile and Web produce the same SessionToken shape,
+ * so verification is a single code path with no environment detection.
+ */
+export declare class EazoAuthServer {
+    private readonly privateKey;
+    constructor(config: EazoAuthServerConfig);
+    /**
+     * Decrypts a session token and returns the user's identity.
+     * @param session - The parsed x-eazo-session payload (encryptedData, encryptedKey, iv, authTag).
+     * @throws if the token is missing required fields or decryption fails.
+     */
+    verifySession(session: SessionToken): UserInfo;
+}
+//# sourceMappingURL=EazoAuthServer.d.ts.map

package/dist/internal/auth-primitive/EazoAuthServer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"EazoAuthServer.d.ts","sourceRoot":"","sources":["../../../src/internal/auth-primitive/EazoAuthServer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,oBAAoB,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAE5E;;;;;GAKG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAExB,MAAM,EAAE,oBAAoB;IAKxC;;;;OAIG;IACH,aAAa,CAAC,OAAO,EAAE,YAAY,GAAG,QAAQ;CAa/C"}

package/dist/internal/auth-primitive/EazoAuthServer.js

@@ -0,0 +1,37 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EazoAuthServer = void 0;
+const decrypt_1 = require("./decrypt");
+/**
+ * Server-side auth verifier. Decrypts an encrypted session token (produced by
+ * the Eazo Mobile bridge or the /api/open/app-session-token exchange) using
+ * EAZO_PRIVATE_KEY. Both Mobile and Web produce the same SessionToken shape,
+ * so verification is a single code path with no environment detection.
+ */
+class EazoAuthServer {
+    constructor(config) {
+        if (!config.privateKey)
+            throw new Error("@eazo/sdk: privateKey is required");
+        this.privateKey = config.privateKey;
+    }
+    /**
+     * Decrypts a session token and returns the user's identity.
+     * @param session - The parsed x-eazo-session payload (encryptedData, encryptedKey, iv, authTag).
+     * @throws if the token is missing required fields or decryption fails.
+     */
+    verifySession(session) {
+        const { encryptedData, encryptedKey, iv, authTag } = session;
+        if (!encryptedData || !encryptedKey || !iv || !authTag) {
+            throw new Error("Incomplete session token");
+        }
+        return (0, decrypt_1.decryptUserInfo)({
+            encryptedData,
+            encryptedKey,
+            iv,
+            authTag,
+            privateKey: this.privateKey,
+        });
+    }
+}
+exports.EazoAuthServer = EazoAuthServer;
+//# sourceMappingURL=EazoAuthServer.js.map

package/dist/internal/auth-primitive/EazoAuthServer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"EazoAuthServer.js","sourceRoot":"","sources":["../../../src/internal/auth-primitive/EazoAuthServer.ts"],"names":[],"mappings":";;;AAAA,uCAA4C;AAG5C;;;;;GAKG;AACH,MAAa,cAAc;IAGzB,YAAY,MAA4B;QACtC,IAAI,CAAC,MAAM,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QAC7E,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;IACtC,CAAC;IAED;;;;OAIG;IACH,aAAa,CAAC,OAAqB;QACjC,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,EAAE,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC;QAC7D,IAAI,CAAC,aAAa,IAAI,CAAC,YAAY,IAAI,CAAC,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC;YACvD,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAC9C,CAAC;QACD,OAAO,IAAA,yBAAe,EAAC;YACrB,aAAa;YACb,YAAY;YACZ,EAAE;YACF,OAAO;YACP,UAAU,EAAE,IAAI,CAAC,UAAU;SAC5B,CAAC,CAAC;IACL,CAAC;CACF;AA1BD,wCA0BC"}

package/dist/internal/auth-primitive/decrypt.d.ts

@@ -0,0 +1,12 @@
+import type { DecryptOptions, DecryptResult, UserInfo } from "./types";
+/**
+ * Decrypt data encrypted with ECC secp256k1 + AES-256-GCM hybrid encryption.
+ *
+ * Two-stage process:
+ *   1. ECDH shared secret + SHA-256 → AES-256-CBC to unwrap the AES key
+ *   2. AES-256-GCM with the unwrapped key to decrypt the payload
+ */
+export declare function decrypt<T = unknown>(options: DecryptOptions): DecryptResult<T>;
+/** Convenience wrapper — decrypts and returns a typed UserInfo object. */
+export declare function decryptUserInfo(options: DecryptOptions): UserInfo;
+//# sourceMappingURL=decrypt.d.ts.map

package/dist/internal/auth-primitive/decrypt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decrypt.d.ts","sourceRoot":"","sources":["../../../src/internal/auth-primitive/decrypt.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAIvE;;;;;;GAMG;AACH,wBAAgB,OAAO,CAAC,CAAC,GAAG,OAAO,EAAE,OAAO,EAAE,cAAc,GAAG,aAAa,CAAC,CAAC,CAAC,CA4C9E;AAED,0EAA0E;AAC1E,wBAAgB,eAAe,CAAC,OAAO,EAAE,cAAc,GAAG,QAAQ,CAGjE"}

package/dist/internal/auth-primitive/decrypt.js

@@ -0,0 +1,89 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.decrypt = decrypt;
+exports.decryptUserInfo = decryptUserInfo;
+const crypto = __importStar(require("crypto"));
+const elliptic_1 = require("elliptic");
+const ec = new elliptic_1.ec("secp256k1");
+/**
+ * Decrypt data encrypted with ECC secp256k1 + AES-256-GCM hybrid encryption.
+ *
+ * Two-stage process:
+ *   1. ECDH shared secret + SHA-256 → AES-256-CBC to unwrap the AES key
+ *   2. AES-256-GCM with the unwrapped key to decrypt the payload
+ */
+function decrypt(options) {
+    const { encryptedData, encryptedKey, iv, authTag, privateKey } = options;
+    if (!encryptedData || !encryptedKey || !iv || !authTag || !privateKey) {
+        throw new Error("Missing required decryption parameters");
+    }
+    if (!/^[0-9a-f]{64}$/i.test(privateKey)) {
+        throw new Error("Invalid private key — expected 64 hex characters");
+    }
+    const keyPair = ec.keyFromPrivate(privateKey, "hex");
+    const encKeyBuf = Buffer.from(encryptedKey, "base64");
+    const EPHEMERAL_PUBKEY_LEN = 33; // secp256k1 compressed
+    const ephemeralPubKeyHex = encKeyBuf.slice(0, EPHEMERAL_PUBKEY_LEN).toString("hex");
+    const cipherIv = encKeyBuf.slice(EPHEMERAL_PUBKEY_LEN, EPHEMERAL_PUBKEY_LEN + 16);
+    const cipherText = encKeyBuf.slice(EPHEMERAL_PUBKEY_LEN + 16);
+    const ephemeralPubKey = ec.keyFromPublic(ephemeralPubKeyHex, "hex");
+    const sharedSecret = keyPair.derive(ephemeralPubKey.getPublic());
+    const sharedSecretBuf = Buffer.from(sharedSecret.toString(16).padStart(64, "0"), "hex");
+    const decryptionKey = crypto.createHash("sha256").update(sharedSecretBuf).digest();
+    const decipher1 = crypto.createDecipheriv("aes-256-cbc", decryptionKey, cipherIv);
+    const aesKey = Buffer.concat([decipher1.update(cipherText), decipher1.final()]);
+    const ivBuf = Buffer.from(iv, "base64");
+    const authTagBuf = Buffer.from(authTag, "base64");
+    const encDataBuf = Buffer.from(encryptedData, "base64");
+    const decipher2 = crypto.createDecipheriv("aes-256-gcm", aesKey, ivBuf);
+    decipher2.setAuthTag(authTagBuf);
+    let raw = decipher2.update(encDataBuf, undefined, "utf8");
+    raw += decipher2.final("utf8");
+    let data;
+    try {
+        data = JSON.parse(raw);
+    }
+    catch {
+        data = raw;
+    }
+    return { data, raw };
+}
+/** Convenience wrapper — decrypts and returns a typed UserInfo object. */
+function decryptUserInfo(options) {
+    const result = decrypt(options);
+    return result.data;
+}
+//# sourceMappingURL=decrypt.js.map

package/dist/internal/auth-primitive/decrypt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decrypt.js","sourceRoot":"","sources":["../../../src/internal/auth-primitive/decrypt.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAaA,0BA4CC;AAGD,0CAGC;AA/DD,+CAAiC;AACjC,uCAAoC;AAGpC,MAAM,EAAE,GAAG,IAAI,aAAE,CAAC,WAAW,CAAC,CAAC;AAE/B;;;;;;GAMG;AACH,SAAgB,OAAO,CAAc,OAAuB;IAC1D,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAEzE,IAAI,CAAC,aAAa,IAAI,CAAC,YAAY,IAAI,CAAC,EAAE,IAAI,CAAC,OAAO,IAAI,CAAC,UAAU,EAAE,CAAC;QACtE,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC5D,CAAC;IACD,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IAED,MAAM,OAAO,GAAG,EAAE,CAAC,cAAc,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IACrD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;IAEtD,MAAM,oBAAoB,GAAG,EAAE,CAAC,CAAC,uBAAuB;IACxD,MAAM,kBAAkB,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,oBAAoB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACpF,MAAM,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,oBAAoB,EAAE,oBAAoB,GAAG,EAAE,CAAC,CAAC;IAClF,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAAC,oBAAoB,GAAG,EAAE,CAAC,CAAC;IAE9D,MAAM,eAAe,GAAG,EAAE,CAAC,aAAa,CAAC,kBAAkB,EAAE,KAAK,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,SAAS,EAAE,CAAC,CAAC;IACjE,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,EAAE,EAAE,GAAG,CAAC,EAAE,KAAK,CAAC,CAAC;IACxF,MAAM,aAAa,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,MAAM,EAAE,CAAC;IAEnF,MAAM,SAAS,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,aAAa,EAAE,QAAQ,CAAC,CAAC;IAClF,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAEhF,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IACxC,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAClD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;IAExD,MAAM,SAAS,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACxE,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IAEjC,IAAI,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAC1D,GAAG,IAAI,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAE/B,IAAI,IAAO,CAAC;IACZ,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAM,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,IAAI,GAAG,GAAmB,CAAC;IAC7B,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;AACvB,CAAC;AAED,0EAA0E;AAC1E,SAAgB,eAAe,CAAC,OAAuB;IACrD,MAAM,MAAM,GAAG,OAAO,CAAW,OAAO,CAAC,CAAC;IAC1C,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC"}

package/dist/internal/auth-primitive/index.d.ts

@@ -0,0 +1,5 @@
+export { EazoAuthClient } from "./EazoAuthClient";
+export { EazoAuthServer } from "./EazoAuthServer";
+export { decrypt, decryptUserInfo } from "./decrypt";
+export type { DecryptOptions, DecryptResult, EazoAuthClientConfig, EazoAuthServerConfig, SessionToken, SocialConnection, UserInfo, } from "./types";
+//# sourceMappingURL=index.d.ts.map