@flowsta/auth 2.0.0

package/README.md

@@ -0,0 +1,191 @@
+# @flowsta/auth
+
+Flowsta Auth SDK 2.0 - OAuth-only authentication for web applications.
+
+## Features
+
+- 🔐 **OAuth 2.0 + PKCE** - Secure authentication without client secrets
+- 🌐 **Zero-Knowledge** - Your users' data stays private
+- ⚡ **Simple Integration** - Just a few lines of code
+- 🎨 **Framework Support** - Vanilla JS, React, and more
+
+## Installation
+
+```bash
+npm install @flowsta/auth
+# or
+yarn add @flowsta/auth
+# or
+pnpm add @flowsta/auth
+```
+
+## Quick Start
+
+### 1. Create an App
+
+Go to [dev.flowsta.com](https://dev.flowsta.com) and create an app to get your Client ID.
+
+### 2. Add the Login Button
+
+```typescript
+import { FlowstaAuth } from '@flowsta/auth';
+
+const auth = new FlowstaAuth({
+  clientId: 'your-client-id',
+  redirectUri: 'https://yoursite.com/auth/callback',
+});
+
+// Redirect to Flowsta login
+document.getElementById('login-btn').onclick = () => auth.login();
+```
+
+### 3. Handle the Callback
+
+On your redirect URI page (`/auth/callback`):
+
+```typescript
+import { FlowstaAuth } from '@flowsta/auth';
+
+const auth = new FlowstaAuth({
+  clientId: 'your-client-id',
+  redirectUri: 'https://yoursite.com/auth/callback',
+});
+
+// Handle the OAuth callback
+try {
+  const user = await auth.handleCallback();
+  console.log('Logged in as:', user.email);
+  window.location.href = '/dashboard';
+} catch (error) {
+  console.error('Login failed:', error.message);
+}
+```
+
+### 4. Check Authentication Status
+
+```typescript
+if (auth.isAuthenticated()) {
+  const user = auth.getUser();
+  console.log('Welcome,', user.displayName);
+}
+```
+
+## React Integration
+
+```tsx
+import { FlowstaAuthProvider, useFlowstaAuth } from '@flowsta/auth/react';
+
+// Wrap your app
+function App() {
+  return (
+    <FlowstaAuthProvider
+      clientId="your-client-id"
+      redirectUri="https://yoursite.com/auth/callback"
+    >
+      <MyApp />
+    </FlowstaAuthProvider>
+  );
+}
+
+// Use in components
+function LoginButton() {
+  const { isAuthenticated, user, login, logout } = useFlowstaAuth();
+
+  if (isAuthenticated) {
+    return (
+      <div>
+        <span>Hello, {user.displayName}!</span>
+        <button onClick={logout}>Logout</button>
+      </div>
+    );
+  }
+
+  return <button onClick={login}>Sign in with Flowsta</button>;
+}
+
+// Callback page
+function AuthCallback() {
+  const { handleCallback, isLoading, error } = useFlowstaAuth();
+
+  useEffect(() => {
+    handleCallback()
+      .then(() => window.location.href = '/dashboard')
+      .catch(console.error);
+  }, []);
+
+  if (isLoading) return <p>Logging in...</p>;
+  if (error) return <p>Error: {error}</p>;
+  return null;
+}
+```
+
+## API Reference
+
+### FlowstaAuth
+
+```typescript
+const auth = new FlowstaAuth({
+  clientId: string;      // Required: Your app's client ID
+  redirectUri: string;   // Required: OAuth callback URL
+  scopes?: string[];     // Optional: ['profile', 'email'] (default)
+  loginUrl?: string;     // Optional: Flowsta login URL
+  apiUrl?: string;       // Optional: Flowsta API URL
+});
+```
+
+#### Methods
+
+| Method | Returns | Description |
+|--------|---------|-------------|
+| `login()` | `Promise<void>` | Redirect to Flowsta login |
+| `handleCallback()` | `Promise<FlowstaUser>` | Handle OAuth callback |
+| `logout()` | `void` | Log out the user |
+| `isAuthenticated()` | `boolean` | Check if user is logged in |
+| `getUser()` | `FlowstaUser \| null` | Get current user |
+| `getAccessToken()` | `string \| null` | Get access token |
+| `getState()` | `AuthState` | Get full auth state |
+
+### FlowstaUser
+
+```typescript
+interface FlowstaUser {
+  id: string;
+  email?: string;          // If 'email' scope was granted
+  username?: string;       // User's username (if set)
+  displayName?: string;    // Display name
+  profilePicture?: string; // Profile picture URL
+  agentPubKey?: string;    // Holochain agent public key
+  did?: string;            // Decentralized Identifier
+}
+```
+
+## Security
+
+This SDK uses **OAuth 2.0 Authorization Code Flow with PKCE**, which means:
+
+- ✅ No client secrets needed (safe for browser/mobile apps)
+- ✅ Authorization codes are protected by PKCE challenge
+- ✅ State parameter prevents CSRF attacks
+- ✅ Tokens are securely stored in localStorage
+
+## Migration from SDK 1.x
+
+SDK 2.0 removes direct email/password authentication. All users now authenticate through Flowsta's hosted login page.
+
+**Before (SDK 1.x):**
+```typescript
+// ❌ Deprecated - do not use
+await auth.login(email, password);
+await auth.register(email, password);
+```
+
+**After (SDK 2.0):**
+```typescript
+// ✅ OAuth redirect
+await auth.login(); // Redirects to login.flowsta.com
+```
+
+## License
+
+MIT
+

package/dist/chunk-NBWAVXMK.mjs

@@ -0,0 +1,183 @@
+// src/index.ts
+async function generatePKCEPair() {
+  const verifier = generateRandomString(128);
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  const challenge = base64UrlEncode(digest);
+  return { verifier, challenge };
+}
+function generateRandomString(length) {
+  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+  const array = new Uint8Array(length);
+  crypto.getRandomValues(array);
+  return Array.from(array, (byte) => chars[byte % chars.length]).join("");
+}
+function base64UrlEncode(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.byteLength; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+var FlowstaAuth = class {
+  constructor(config) {
+    this.accessToken = null;
+    this.user = null;
+    this.config = {
+      clientId: config.clientId,
+      redirectUri: config.redirectUri,
+      scopes: config.scopes || ["profile", "email"],
+      loginUrl: config.loginUrl || "https://login.flowsta.com",
+      apiUrl: config.apiUrl || "https://auth-api.flowsta.com"
+    };
+    this.restoreSession();
+  }
+  /**
+   * Redirect user to Flowsta login page
+   * User will be redirected back to redirectUri after authentication
+   */
+  async login() {
+    const { verifier, challenge } = await generatePKCEPair();
+    const state = generateRandomString(32);
+    sessionStorage.setItem("flowsta_code_verifier", verifier);
+    sessionStorage.setItem("flowsta_state", state);
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: this.config.redirectUri,
+      response_type: "code",
+      scope: this.config.scopes.join(" "),
+      state,
+      code_challenge: challenge,
+      code_challenge_method: "S256"
+    });
+    window.location.href = `${this.config.loginUrl}/login?${params.toString()}`;
+  }
+  /**
+   * Handle OAuth callback after user authentication
+   * Call this on your redirect URI page
+   * @returns The authenticated user
+   */
+  async handleCallback() {
+    const params = new URLSearchParams(window.location.search);
+    const error = params.get("error");
+    if (error) {
+      const description = params.get("error_description") || error;
+      throw new Error(description);
+    }
+    const code = params.get("code");
+    if (!code) {
+      throw new Error("No authorization code received");
+    }
+    const state = params.get("state");
+    const storedState = sessionStorage.getItem("flowsta_state");
+    if (!state || state !== storedState) {
+      throw new Error("Invalid state parameter - possible CSRF attack");
+    }
+    const codeVerifier = sessionStorage.getItem("flowsta_code_verifier");
+    if (!codeVerifier) {
+      throw new Error("Missing PKCE code verifier");
+    }
+    const tokenResponse = await fetch(`${this.config.apiUrl}/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: this.config.redirectUri,
+        client_id: this.config.clientId,
+        code_verifier: codeVerifier
+      })
+    });
+    if (!tokenResponse.ok) {
+      const errorData = await tokenResponse.json();
+      throw new Error(errorData.error_description || "Token exchange failed");
+    }
+    const { access_token, refresh_token } = await tokenResponse.json();
+    sessionStorage.removeItem("flowsta_code_verifier");
+    sessionStorage.removeItem("flowsta_state");
+    const userResponse = await fetch(`${this.config.apiUrl}/oauth/userinfo`, {
+      headers: { "Authorization": `Bearer ${access_token}` }
+    });
+    if (!userResponse.ok) {
+      throw new Error("Failed to fetch user info");
+    }
+    const userData = await userResponse.json();
+    this.accessToken = access_token;
+    this.user = {
+      id: userData.sub || userData.id,
+      email: userData.email,
+      username: userData.preferred_username,
+      displayName: userData.display_name || userData.name,
+      profilePicture: userData.picture || userData.profile_picture,
+      agentPubKey: userData.agent_pub_key,
+      did: userData.did
+    };
+    localStorage.setItem("flowsta_access_token", access_token);
+    localStorage.setItem("flowsta_user", JSON.stringify(this.user));
+    if (refresh_token) {
+      localStorage.setItem("flowsta_refresh_token", refresh_token);
+    }
+    return this.user;
+  }
+  /**
+   * Log out the current user
+   */
+  logout() {
+    this.accessToken = null;
+    this.user = null;
+    localStorage.removeItem("flowsta_access_token");
+    localStorage.removeItem("flowsta_user");
+    localStorage.removeItem("flowsta_refresh_token");
+  }
+  /**
+   * Check if user is authenticated
+   */
+  isAuthenticated() {
+    return !!this.accessToken && !!this.user;
+  }
+  /**
+   * Get the current user
+   */
+  getUser() {
+    return this.user;
+  }
+  /**
+   * Get the current access token
+   */
+  getAccessToken() {
+    return this.accessToken;
+  }
+  /**
+   * Get current auth state
+   */
+  getState() {
+    return {
+      isAuthenticated: this.isAuthenticated(),
+      user: this.user,
+      accessToken: this.accessToken,
+      isLoading: false,
+      error: null
+    };
+  }
+  restoreSession() {
+    if (typeof localStorage === "undefined") return;
+    const token = localStorage.getItem("flowsta_access_token");
+    const userJson = localStorage.getItem("flowsta_user");
+    if (token && userJson) {
+      try {
+        this.accessToken = token;
+        this.user = JSON.parse(userJson);
+      } catch {
+        this.logout();
+      }
+    }
+  }
+};
+var index_default = FlowstaAuth;
+
+export {
+  FlowstaAuth,
+  index_default
+};

package/dist/index.d.mts

@@ -0,0 +1,112 @@
+/**
+ * Flowsta Auth SDK 2.0
+ *
+ * OAuth-only authentication for partner sites.
+ * All authentication flows through login.flowsta.com
+ *
+ * Features:
+ * - OAuth 2.0 Authorization Code Flow with PKCE
+ * - Zero-knowledge architecture
+ * - No client secrets needed (PKCE provides security)
+ * - Simple "Sign in with Flowsta" integration
+ */
+interface FlowstaAuthConfig {
+    /** Your Flowsta application client ID (from dev.flowsta.com) */
+    clientId: string;
+    /** The URI to redirect back to after authentication */
+    redirectUri: string;
+    /** OAuth scopes to request. Default: ['profile', 'email'] */
+    scopes?: string[];
+    /** The Flowsta login URL. Default: 'https://login.flowsta.com' */
+    loginUrl?: string;
+    /** The Flowsta API URL. Default: 'https://auth-api.flowsta.com' */
+    apiUrl?: string;
+}
+interface FlowstaUser {
+    /** User's unique ID */
+    id: string;
+    /** User's email address (if 'email' scope was granted) */
+    email?: string;
+    /** User's username (if set) */
+    username?: string;
+    /** User's display name */
+    displayName?: string;
+    /** User's profile picture URL */
+    profilePicture?: string;
+    /** User's Holochain agent public key */
+    agentPubKey?: string;
+    /** User's DID (Decentralized Identifier) */
+    did?: string;
+}
+interface AuthState {
+    /** Whether the user is authenticated */
+    isAuthenticated: boolean;
+    /** The current user (null if not authenticated) */
+    user: FlowstaUser | null;
+    /** The access token (null if not authenticated) */
+    accessToken: string | null;
+    /** Whether authentication is loading */
+    isLoading: boolean;
+    /** Any authentication error */
+    error: string | null;
+}
+/**
+ * FlowstaAuth class - Main SDK entry point
+ *
+ * Usage:
+ * ```typescript
+ * const auth = new FlowstaAuth({
+ *   clientId: 'your-client-id',
+ *   redirectUri: 'https://yoursite.com/auth/callback'
+ * });
+ *
+ * // Redirect to login
+ * auth.login();
+ *
+ * // Handle callback (on your redirect URI page)
+ * await auth.handleCallback();
+ *
+ * // Get current user
+ * const user = auth.getUser();
+ * ```
+ */
+declare class FlowstaAuth {
+    private config;
+    private accessToken;
+    private user;
+    constructor(config: FlowstaAuthConfig);
+    /**
+     * Redirect user to Flowsta login page
+     * User will be redirected back to redirectUri after authentication
+     */
+    login(): Promise<void>;
+    /**
+     * Handle OAuth callback after user authentication
+     * Call this on your redirect URI page
+     * @returns The authenticated user
+     */
+    handleCallback(): Promise<FlowstaUser>;
+    /**
+     * Log out the current user
+     */
+    logout(): void;
+    /**
+     * Check if user is authenticated
+     */
+    isAuthenticated(): boolean;
+    /**
+     * Get the current user
+     */
+    getUser(): FlowstaUser | null;
+    /**
+     * Get the current access token
+     */
+    getAccessToken(): string | null;
+    /**
+     * Get current auth state
+     */
+    getState(): AuthState;
+    private restoreSession;
+}
+
+export { type AuthState, FlowstaAuth, type FlowstaAuthConfig, type FlowstaUser, FlowstaAuth as default };

package/dist/index.d.ts

@@ -0,0 +1,112 @@
+/**
+ * Flowsta Auth SDK 2.0
+ *
+ * OAuth-only authentication for partner sites.
+ * All authentication flows through login.flowsta.com
+ *
+ * Features:
+ * - OAuth 2.0 Authorization Code Flow with PKCE
+ * - Zero-knowledge architecture
+ * - No client secrets needed (PKCE provides security)
+ * - Simple "Sign in with Flowsta" integration
+ */
+interface FlowstaAuthConfig {
+    /** Your Flowsta application client ID (from dev.flowsta.com) */
+    clientId: string;
+    /** The URI to redirect back to after authentication */
+    redirectUri: string;
+    /** OAuth scopes to request. Default: ['profile', 'email'] */
+    scopes?: string[];
+    /** The Flowsta login URL. Default: 'https://login.flowsta.com' */
+    loginUrl?: string;
+    /** The Flowsta API URL. Default: 'https://auth-api.flowsta.com' */
+    apiUrl?: string;
+}
+interface FlowstaUser {
+    /** User's unique ID */
+    id: string;
+    /** User's email address (if 'email' scope was granted) */
+    email?: string;
+    /** User's username (if set) */
+    username?: string;
+    /** User's display name */
+    displayName?: string;
+    /** User's profile picture URL */
+    profilePicture?: string;
+    /** User's Holochain agent public key */
+    agentPubKey?: string;
+    /** User's DID (Decentralized Identifier) */
+    did?: string;
+}
+interface AuthState {
+    /** Whether the user is authenticated */
+    isAuthenticated: boolean;
+    /** The current user (null if not authenticated) */
+    user: FlowstaUser | null;
+    /** The access token (null if not authenticated) */
+    accessToken: string | null;
+    /** Whether authentication is loading */
+    isLoading: boolean;
+    /** Any authentication error */
+    error: string | null;
+}
+/**
+ * FlowstaAuth class - Main SDK entry point
+ *
+ * Usage:
+ * ```typescript
+ * const auth = new FlowstaAuth({
+ *   clientId: 'your-client-id',
+ *   redirectUri: 'https://yoursite.com/auth/callback'
+ * });
+ *
+ * // Redirect to login
+ * auth.login();
+ *
+ * // Handle callback (on your redirect URI page)
+ * await auth.handleCallback();
+ *
+ * // Get current user
+ * const user = auth.getUser();
+ * ```
+ */
+declare class FlowstaAuth {
+    private config;
+    private accessToken;
+    private user;
+    constructor(config: FlowstaAuthConfig);
+    /**
+     * Redirect user to Flowsta login page
+     * User will be redirected back to redirectUri after authentication
+     */
+    login(): Promise<void>;
+    /**
+     * Handle OAuth callback after user authentication
+     * Call this on your redirect URI page
+     * @returns The authenticated user
+     */
+    handleCallback(): Promise<FlowstaUser>;
+    /**
+     * Log out the current user
+     */
+    logout(): void;
+    /**
+     * Check if user is authenticated
+     */
+    isAuthenticated(): boolean;
+    /**
+     * Get the current user
+     */
+    getUser(): FlowstaUser | null;
+    /**
+     * Get the current access token
+     */
+    getAccessToken(): string | null;
+    /**
+     * Get current auth state
+     */
+    getState(): AuthState;
+    private restoreSession;
+}
+
+export { type AuthState, FlowstaAuth, type FlowstaAuthConfig, type FlowstaUser, FlowstaAuth as default };

package/dist/index.js

@@ -0,0 +1,207 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  FlowstaAuth: () => FlowstaAuth,
+  default: () => index_default
+});
+module.exports = __toCommonJS(index_exports);
+async function generatePKCEPair() {
+  const verifier = generateRandomString(128);
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  const challenge = base64UrlEncode(digest);
+  return { verifier, challenge };
+}
+function generateRandomString(length) {
+  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+  const array = new Uint8Array(length);
+  crypto.getRandomValues(array);
+  return Array.from(array, (byte) => chars[byte % chars.length]).join("");
+}
+function base64UrlEncode(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.byteLength; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+var FlowstaAuth = class {
+  constructor(config) {
+    this.accessToken = null;
+    this.user = null;
+    this.config = {
+      clientId: config.clientId,
+      redirectUri: config.redirectUri,
+      scopes: config.scopes || ["profile", "email"],
+      loginUrl: config.loginUrl || "https://login.flowsta.com",
+      apiUrl: config.apiUrl || "https://auth-api.flowsta.com"
+    };
+    this.restoreSession();
+  }
+  /**
+   * Redirect user to Flowsta login page
+   * User will be redirected back to redirectUri after authentication
+   */
+  async login() {
+    const { verifier, challenge } = await generatePKCEPair();
+    const state = generateRandomString(32);
+    sessionStorage.setItem("flowsta_code_verifier", verifier);
+    sessionStorage.setItem("flowsta_state", state);
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: this.config.redirectUri,
+      response_type: "code",
+      scope: this.config.scopes.join(" "),
+      state,
+      code_challenge: challenge,
+      code_challenge_method: "S256"
+    });
+    window.location.href = `${this.config.loginUrl}/login?${params.toString()}`;
+  }
+  /**
+   * Handle OAuth callback after user authentication
+   * Call this on your redirect URI page
+   * @returns The authenticated user
+   */
+  async handleCallback() {
+    const params = new URLSearchParams(window.location.search);
+    const error = params.get("error");
+    if (error) {
+      const description = params.get("error_description") || error;
+      throw new Error(description);
+    }
+    const code = params.get("code");
+    if (!code) {
+      throw new Error("No authorization code received");
+    }
+    const state = params.get("state");
+    const storedState = sessionStorage.getItem("flowsta_state");
+    if (!state || state !== storedState) {
+      throw new Error("Invalid state parameter - possible CSRF attack");
+    }
+    const codeVerifier = sessionStorage.getItem("flowsta_code_verifier");
+    if (!codeVerifier) {
+      throw new Error("Missing PKCE code verifier");
+    }
+    const tokenResponse = await fetch(`${this.config.apiUrl}/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: this.config.redirectUri,
+        client_id: this.config.clientId,
+        code_verifier: codeVerifier
+      })
+    });
+    if (!tokenResponse.ok) {
+      const errorData = await tokenResponse.json();
+      throw new Error(errorData.error_description || "Token exchange failed");
+    }
+    const { access_token, refresh_token } = await tokenResponse.json();
+    sessionStorage.removeItem("flowsta_code_verifier");
+    sessionStorage.removeItem("flowsta_state");
+    const userResponse = await fetch(`${this.config.apiUrl}/oauth/userinfo`, {
+      headers: { "Authorization": `Bearer ${access_token}` }
+    });
+    if (!userResponse.ok) {
+      throw new Error("Failed to fetch user info");
+    }
+    const userData = await userResponse.json();
+    this.accessToken = access_token;
+    this.user = {
+      id: userData.sub || userData.id,
+      email: userData.email,
+      username: userData.preferred_username,
+      displayName: userData.display_name || userData.name,
+      profilePicture: userData.picture || userData.profile_picture,
+      agentPubKey: userData.agent_pub_key,
+      did: userData.did
+    };
+    localStorage.setItem("flowsta_access_token", access_token);
+    localStorage.setItem("flowsta_user", JSON.stringify(this.user));
+    if (refresh_token) {
+      localStorage.setItem("flowsta_refresh_token", refresh_token);
+    }
+    return this.user;
+  }
+  /**
+   * Log out the current user
+   */
+  logout() {
+    this.accessToken = null;
+    this.user = null;
+    localStorage.removeItem("flowsta_access_token");
+    localStorage.removeItem("flowsta_user");
+    localStorage.removeItem("flowsta_refresh_token");
+  }
+  /**
+   * Check if user is authenticated
+   */
+  isAuthenticated() {
+    return !!this.accessToken && !!this.user;
+  }
+  /**
+   * Get the current user
+   */
+  getUser() {
+    return this.user;
+  }
+  /**
+   * Get the current access token
+   */
+  getAccessToken() {
+    return this.accessToken;
+  }
+  /**
+   * Get current auth state
+   */
+  getState() {
+    return {
+      isAuthenticated: this.isAuthenticated(),
+      user: this.user,
+      accessToken: this.accessToken,
+      isLoading: false,
+      error: null
+    };
+  }
+  restoreSession() {
+    if (typeof localStorage === "undefined") return;
+    const token = localStorage.getItem("flowsta_access_token");
+    const userJson = localStorage.getItem("flowsta_user");
+    if (token && userJson) {
+      try {
+        this.accessToken = token;
+        this.user = JSON.parse(userJson);
+      } catch {
+        this.logout();
+      }
+    }
+  }
+};
+var index_default = FlowstaAuth;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  FlowstaAuth
+});

package/dist/index.mjs

@@ -0,0 +1,8 @@
+import {
+  FlowstaAuth,
+  index_default
+} from "./chunk-NBWAVXMK.mjs";
+export {
+  FlowstaAuth,
+  index_default as default
+};

package/dist/react.d.mts

@@ -0,0 +1,37 @@
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import { ReactNode } from 'react';
+import { FlowstaAuthConfig, AuthState, FlowstaUser } from './index.mjs';
+export { default as FlowstaAuth } from './index.mjs';
+
+interface FlowstaAuthContextValue extends AuthState {
+    /** Redirect to Flowsta login */
+    login: () => Promise<void>;
+    /** Log out the current user */
+    logout: () => void;
+    /** Handle OAuth callback (call on redirect URI page) */
+    handleCallback: () => Promise<FlowstaUser>;
+}
+interface FlowstaAuthProviderProps extends FlowstaAuthConfig {
+    children: ReactNode;
+}
+/**
+ * Flowsta Auth Provider component
+ * Wrap your app with this to enable authentication
+ */
+declare function FlowstaAuthProvider({ children, clientId, redirectUri, scopes, loginUrl, apiUrl, }: FlowstaAuthProviderProps): react_jsx_runtime.JSX.Element;
+/**
+ * Hook to access Flowsta Auth
+ * Must be used within a FlowstaAuthProvider
+ */
+declare function useFlowstaAuth(): FlowstaAuthContextValue;
+/**
+ * Hook to protect routes/components
+ * Redirects to login if not authenticated
+ */
+declare function useRequireAuth(options?: {
+    redirectTo?: string;
+}): AuthState & {
+    isReady: boolean;
+};
+
+export { AuthState, FlowstaAuthConfig, FlowstaAuthProvider, FlowstaUser, FlowstaAuthProvider as default, useFlowstaAuth, useRequireAuth };

package/dist/react.d.ts

@@ -0,0 +1,37 @@
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import { ReactNode } from 'react';
+import { FlowstaAuthConfig, AuthState, FlowstaUser } from './index.js';
+export { default as FlowstaAuth } from './index.js';
+
+interface FlowstaAuthContextValue extends AuthState {
+    /** Redirect to Flowsta login */
+    login: () => Promise<void>;
+    /** Log out the current user */
+    logout: () => void;
+    /** Handle OAuth callback (call on redirect URI page) */
+    handleCallback: () => Promise<FlowstaUser>;
+}
+interface FlowstaAuthProviderProps extends FlowstaAuthConfig {
+    children: ReactNode;
+}
+/**
+ * Flowsta Auth Provider component
+ * Wrap your app with this to enable authentication
+ */
+declare function FlowstaAuthProvider({ children, clientId, redirectUri, scopes, loginUrl, apiUrl, }: FlowstaAuthProviderProps): react_jsx_runtime.JSX.Element;
+/**
+ * Hook to access Flowsta Auth
+ * Must be used within a FlowstaAuthProvider
+ */
+declare function useFlowstaAuth(): FlowstaAuthContextValue;
+/**
+ * Hook to protect routes/components
+ * Redirects to login if not authenticated
+ */
+declare function useRequireAuth(options?: {
+    redirectTo?: string;
+}): AuthState & {
+    isReady: boolean;
+};
+
+export { AuthState, FlowstaAuthConfig, FlowstaAuthProvider, FlowstaUser, FlowstaAuthProvider as default, useFlowstaAuth, useRequireAuth };

package/dist/react.js

@@ -0,0 +1,316 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/react.tsx
+var react_exports = {};
+__export(react_exports, {
+  FlowstaAuth: () => FlowstaAuth,
+  FlowstaAuthProvider: () => FlowstaAuthProvider,
+  default: () => react_default,
+  useFlowstaAuth: () => useFlowstaAuth,
+  useRequireAuth: () => useRequireAuth
+});
+module.exports = __toCommonJS(react_exports);
+var import_react = require("react");
+
+// src/index.ts
+async function generatePKCEPair() {
+  const verifier = generateRandomString(128);
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  const challenge = base64UrlEncode(digest);
+  return { verifier, challenge };
+}
+function generateRandomString(length) {
+  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+  const array = new Uint8Array(length);
+  crypto.getRandomValues(array);
+  return Array.from(array, (byte) => chars[byte % chars.length]).join("");
+}
+function base64UrlEncode(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.byteLength; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+var FlowstaAuth = class {
+  constructor(config) {
+    this.accessToken = null;
+    this.user = null;
+    this.config = {
+      clientId: config.clientId,
+      redirectUri: config.redirectUri,
+      scopes: config.scopes || ["profile", "email"],
+      loginUrl: config.loginUrl || "https://login.flowsta.com",
+      apiUrl: config.apiUrl || "https://auth-api.flowsta.com"
+    };
+    this.restoreSession();
+  }
+  /**
+   * Redirect user to Flowsta login page
+   * User will be redirected back to redirectUri after authentication
+   */
+  async login() {
+    const { verifier, challenge } = await generatePKCEPair();
+    const state = generateRandomString(32);
+    sessionStorage.setItem("flowsta_code_verifier", verifier);
+    sessionStorage.setItem("flowsta_state", state);
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: this.config.redirectUri,
+      response_type: "code",
+      scope: this.config.scopes.join(" "),
+      state,
+      code_challenge: challenge,
+      code_challenge_method: "S256"
+    });
+    window.location.href = `${this.config.loginUrl}/login?${params.toString()}`;
+  }
+  /**
+   * Handle OAuth callback after user authentication
+   * Call this on your redirect URI page
+   * @returns The authenticated user
+   */
+  async handleCallback() {
+    const params = new URLSearchParams(window.location.search);
+    const error = params.get("error");
+    if (error) {
+      const description = params.get("error_description") || error;
+      throw new Error(description);
+    }
+    const code = params.get("code");
+    if (!code) {
+      throw new Error("No authorization code received");
+    }
+    const state = params.get("state");
+    const storedState = sessionStorage.getItem("flowsta_state");
+    if (!state || state !== storedState) {
+      throw new Error("Invalid state parameter - possible CSRF attack");
+    }
+    const codeVerifier = sessionStorage.getItem("flowsta_code_verifier");
+    if (!codeVerifier) {
+      throw new Error("Missing PKCE code verifier");
+    }
+    const tokenResponse = await fetch(`${this.config.apiUrl}/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: this.config.redirectUri,
+        client_id: this.config.clientId,
+        code_verifier: codeVerifier
+      })
+    });
+    if (!tokenResponse.ok) {
+      const errorData = await tokenResponse.json();
+      throw new Error(errorData.error_description || "Token exchange failed");
+    }
+    const { access_token, refresh_token } = await tokenResponse.json();
+    sessionStorage.removeItem("flowsta_code_verifier");
+    sessionStorage.removeItem("flowsta_state");
+    const userResponse = await fetch(`${this.config.apiUrl}/oauth/userinfo`, {
+      headers: { "Authorization": `Bearer ${access_token}` }
+    });
+    if (!userResponse.ok) {
+      throw new Error("Failed to fetch user info");
+    }
+    const userData = await userResponse.json();
+    this.accessToken = access_token;
+    this.user = {
+      id: userData.sub || userData.id,
+      email: userData.email,
+      username: userData.preferred_username,
+      displayName: userData.display_name || userData.name,
+      profilePicture: userData.picture || userData.profile_picture,
+      agentPubKey: userData.agent_pub_key,
+      did: userData.did
+    };
+    localStorage.setItem("flowsta_access_token", access_token);
+    localStorage.setItem("flowsta_user", JSON.stringify(this.user));
+    if (refresh_token) {
+      localStorage.setItem("flowsta_refresh_token", refresh_token);
+    }
+    return this.user;
+  }
+  /**
+   * Log out the current user
+   */
+  logout() {
+    this.accessToken = null;
+    this.user = null;
+    localStorage.removeItem("flowsta_access_token");
+    localStorage.removeItem("flowsta_user");
+    localStorage.removeItem("flowsta_refresh_token");
+  }
+  /**
+   * Check if user is authenticated
+   */
+  isAuthenticated() {
+    return !!this.accessToken && !!this.user;
+  }
+  /**
+   * Get the current user
+   */
+  getUser() {
+    return this.user;
+  }
+  /**
+   * Get the current access token
+   */
+  getAccessToken() {
+    return this.accessToken;
+  }
+  /**
+   * Get current auth state
+   */
+  getState() {
+    return {
+      isAuthenticated: this.isAuthenticated(),
+      user: this.user,
+      accessToken: this.accessToken,
+      isLoading: false,
+      error: null
+    };
+  }
+  restoreSession() {
+    if (typeof localStorage === "undefined") return;
+    const token = localStorage.getItem("flowsta_access_token");
+    const userJson = localStorage.getItem("flowsta_user");
+    if (token && userJson) {
+      try {
+        this.accessToken = token;
+        this.user = JSON.parse(userJson);
+      } catch {
+        this.logout();
+      }
+    }
+  }
+};
+
+// src/react.tsx
+var import_jsx_runtime = require("react/jsx-runtime");
+var FlowstaAuthContext = (0, import_react.createContext)(null);
+function FlowstaAuthProvider({
+  children,
+  clientId,
+  redirectUri,
+  scopes,
+  loginUrl,
+  apiUrl
+}) {
+  const [auth] = (0, import_react.useState)(() => new FlowstaAuth({
+    clientId,
+    redirectUri,
+    scopes,
+    loginUrl,
+    apiUrl
+  }));
+  const [state, setState] = (0, import_react.useState)(() => auth.getState());
+  (0, import_react.useEffect)(() => {
+    setState(auth.getState());
+  }, [auth]);
+  const login = (0, import_react.useCallback)(async () => {
+    setState((prev) => ({ ...prev, isLoading: true, error: null }));
+    try {
+      await auth.login();
+    } catch (error) {
+      setState((prev) => ({
+        ...prev,
+        isLoading: false,
+        error: error instanceof Error ? error.message : "Login failed"
+      }));
+    }
+  }, [auth]);
+  const logout = (0, import_react.useCallback)(() => {
+    auth.logout();
+    setState({
+      isAuthenticated: false,
+      user: null,
+      accessToken: null,
+      isLoading: false,
+      error: null
+    });
+  }, [auth]);
+  const handleCallback = (0, import_react.useCallback)(async () => {
+    setState((prev) => ({ ...prev, isLoading: true, error: null }));
+    try {
+      const user = await auth.handleCallback();
+      setState({
+        isAuthenticated: true,
+        user,
+        accessToken: auth.getAccessToken(),
+        isLoading: false,
+        error: null
+      });
+      return user;
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : "Authentication failed";
+      setState((prev) => ({
+        ...prev,
+        isLoading: false,
+        error: errorMessage
+      }));
+      throw error;
+    }
+  }, [auth]);
+  const value = {
+    ...state,
+    login,
+    logout,
+    handleCallback
+  };
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(FlowstaAuthContext.Provider, { value, children });
+}
+function useFlowstaAuth() {
+  const context = (0, import_react.useContext)(FlowstaAuthContext);
+  if (!context) {
+    throw new Error("useFlowstaAuth must be used within a FlowstaAuthProvider");
+  }
+  return context;
+}
+function useRequireAuth(options) {
+  const { isAuthenticated, isLoading, login, ...rest } = useFlowstaAuth();
+  const [isReady, setIsReady] = (0, import_react.useState)(false);
+  (0, import_react.useEffect)(() => {
+    if (!isLoading) {
+      if (!isAuthenticated) {
+        if (options?.redirectTo) {
+          window.location.href = options.redirectTo;
+        } else {
+          login();
+        }
+      } else {
+        setIsReady(true);
+      }
+    }
+  }, [isAuthenticated, isLoading, login, options?.redirectTo]);
+  return { isAuthenticated, isLoading, isReady, ...rest };
+}
+var react_default = FlowstaAuthProvider;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  FlowstaAuth,
+  FlowstaAuthProvider,
+  useFlowstaAuth,
+  useRequireAuth
+});

package/dist/react.mjs

@@ -0,0 +1,118 @@
+import {
+  FlowstaAuth
+} from "./chunk-NBWAVXMK.mjs";
+
+// src/react.tsx
+import {
+  createContext,
+  useContext,
+  useState,
+  useEffect,
+  useCallback
+} from "react";
+import { jsx } from "react/jsx-runtime";
+var FlowstaAuthContext = createContext(null);
+function FlowstaAuthProvider({
+  children,
+  clientId,
+  redirectUri,
+  scopes,
+  loginUrl,
+  apiUrl
+}) {
+  const [auth] = useState(() => new FlowstaAuth({
+    clientId,
+    redirectUri,
+    scopes,
+    loginUrl,
+    apiUrl
+  }));
+  const [state, setState] = useState(() => auth.getState());
+  useEffect(() => {
+    setState(auth.getState());
+  }, [auth]);
+  const login = useCallback(async () => {
+    setState((prev) => ({ ...prev, isLoading: true, error: null }));
+    try {
+      await auth.login();
+    } catch (error) {
+      setState((prev) => ({
+        ...prev,
+        isLoading: false,
+        error: error instanceof Error ? error.message : "Login failed"
+      }));
+    }
+  }, [auth]);
+  const logout = useCallback(() => {
+    auth.logout();
+    setState({
+      isAuthenticated: false,
+      user: null,
+      accessToken: null,
+      isLoading: false,
+      error: null
+    });
+  }, [auth]);
+  const handleCallback = useCallback(async () => {
+    setState((prev) => ({ ...prev, isLoading: true, error: null }));
+    try {
+      const user = await auth.handleCallback();
+      setState({
+        isAuthenticated: true,
+        user,
+        accessToken: auth.getAccessToken(),
+        isLoading: false,
+        error: null
+      });
+      return user;
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : "Authentication failed";
+      setState((prev) => ({
+        ...prev,
+        isLoading: false,
+        error: errorMessage
+      }));
+      throw error;
+    }
+  }, [auth]);
+  const value = {
+    ...state,
+    login,
+    logout,
+    handleCallback
+  };
+  return /* @__PURE__ */ jsx(FlowstaAuthContext.Provider, { value, children });
+}
+function useFlowstaAuth() {
+  const context = useContext(FlowstaAuthContext);
+  if (!context) {
+    throw new Error("useFlowstaAuth must be used within a FlowstaAuthProvider");
+  }
+  return context;
+}
+function useRequireAuth(options) {
+  const { isAuthenticated, isLoading, login, ...rest } = useFlowstaAuth();
+  const [isReady, setIsReady] = useState(false);
+  useEffect(() => {
+    if (!isLoading) {
+      if (!isAuthenticated) {
+        if (options?.redirectTo) {
+          window.location.href = options.redirectTo;
+        } else {
+          login();
+        }
+      } else {
+        setIsReady(true);
+      }
+    }
+  }, [isAuthenticated, isLoading, login, options?.redirectTo]);
+  return { isAuthenticated, isLoading, isReady, ...rest };
+}
+var react_default = FlowstaAuthProvider;
+export {
+  FlowstaAuth,
+  FlowstaAuthProvider,
+  react_default as default,
+  useFlowstaAuth,
+  useRequireAuth
+};

package/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "@flowsta/auth",
+  "version": "2.0.0",
+  "description": "Flowsta Auth SDK 2.0 - OAuth-only authentication for web applications",
+  "main": "./dist/index.js",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    },
+    "./react": {
+      "types": "./dist/react.d.ts",
+      "import": "./dist/react.mjs",
+      "require": "./dist/react.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup src/index.ts src/react.tsx --format cjs,esm --dts",
+    "dev": "tsup src/index.ts src/react.tsx --format cjs,esm --dts --watch",
+    "test": "vitest",
+    "lint": "eslint src"
+  },
+  "keywords": [
+    "flowsta",
+    "auth",
+    "authentication",
+    "oauth",
+    "sso",
+    "pkce",
+    "zero-knowledge"
+  ],
+  "author": "Flowsta",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/WeAreFlowsta/flowsta-sdk.git",
+    "directory": "packages/auth"
+  },
+  "peerDependencies": {
+    "react": ">=17.0.0"
+  },
+  "peerDependenciesMeta": {
+    "react": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "tsup": "^8.0.0",
+    "typescript": "^5.3.0",
+    "vitest": "^1.0.0",
+    "@types/react": "^18.2.0"
+  }
+}
+