@ghostly-solutions/auth 0.1.0 → 0.2.1

package/dist/react.js

@@ -1,14 +1,14 @@
 import { createContext, useMemo, useState, useEffect, useCallback, useContext } from 'react';
 import { jsx, Fragment } from 'react/jsx-runtime';
 
-// src/adapters/react/auth-callback-handler.tsx
+// src/adapters/react/auth-provider.tsx
 
 // src/constants/auth-endpoints.ts
-var authApiPrefix = "/v1/auth";
+var authApiPrefix = "/oauth";
 var authEndpoints = {
-  loginStart: `${authApiPrefix}/keycloak/login`,
-  validateKeycloakToken: `${authApiPrefix}/keycloak/validate`,
-  session: `${authApiPrefix}/me`,
+  authorize: `${authApiPrefix}/authorize`,
+  session: `${authApiPrefix}/session`,
+  refresh: `${authApiPrefix}/refresh`,
   logout: `${authApiPrefix}/logout`
 };
 
@@ -16,7 +16,6 @@ var authEndpoints = {
 var httpStatus = {
   ok: 200,
   noContent: 204,
-  badRequest: 400,
   unauthorized: 401
 };
 
@@ -36,27 +35,59 @@ var AuthSdkError = class extends Error {
 
 // src/types/auth-error-code.ts
 var authErrorCode = {
-  callbackMissingToken: "callback_missing_token",
-  callbackInvalidToken: "callback_invalid_token",
-  callbackValidationFailed: "callback_validation_failed",
   unauthorized: "unauthorized",
   networkError: "network_error",
   apiError: "api_error",
   broadcastChannelUnsupported: "broadcast_channel_unsupported"};
 
+// src/core/api-origin.ts
+var slash = "/";
+function normalizeApiOrigin(apiOrigin) {
+  const trimmed = apiOrigin.trim();
+  if (!trimmed) {
+    throw new AuthSdkError({
+      code: authErrorCode.apiError,
+      details: null,
+      message: "Auth API origin must be a non-empty absolute URL.",
+      status: null
+    });
+  }
+  let parsed;
+  try {
+    parsed = new URL(trimmed);
+  } catch (error) {
+    throw new AuthSdkError({
+      code: authErrorCode.apiError,
+      details: error,
+      message: "Auth API origin must be a valid absolute URL.",
+      status: null
+    });
+  }
+  if (parsed.pathname !== slash || parsed.search || parsed.hash) {
+    throw new AuthSdkError({
+      code: authErrorCode.apiError,
+      details: null,
+      message: "Auth API origin must not include path, query, or hash.",
+      status: null
+    });
+  }
+  return parsed.origin;
+}
+function resolveApiEndpoint(path, apiOrigin) {
+  if (!apiOrigin) {
+    return path;
+  }
+  return `${normalizeApiOrigin(apiOrigin)}${path}`;
+}
+
 // src/constants/auth-keys.ts
-var authQueryKeys = {
-  token: "token"
-};
-var authStorageKeys = {
-  returnTo: "ghostly-auth:return-to"
-};
 var authBroadcast = {
   channelName: "ghostly-auth-channel",
   sessionUpdatedEvent: "session-updated"
 };
 var authRoutes = {
-  root: "/"};
+  root: "/"
+};
 
 // src/core/object-guards.ts
 function isObjectRecord(value) {
@@ -126,19 +157,6 @@ function createBroadcastSync(options) {
   };
 }
 
-// src/core/callback-url.ts
-function readCallbackToken(url) {
-  return url.searchParams.get(authQueryKeys.token);
-}
-function removeCallbackToken(url) {
-  const nextUrl = new URL(url.toString());
-  nextUrl.searchParams.delete(authQueryKeys.token);
-  return nextUrl;
-}
-function replaceBrowserHistory(url) {
-  window.history.replaceState(null, "", url.toString());
-}
-
 // src/core/http-client.ts
 var jsonContentType = "application/json";
 var jsonHeaderName = "content-type";
@@ -234,9 +252,8 @@ function getJson(path) {
     path
   });
 }
-function postJson(path, body) {
+function postJsonWithoutBody(path) {
   return request({
-    body,
     method: "POST",
     path
   });
@@ -283,18 +300,10 @@ function sanitizeReturnTo(value) {
 function getCurrentBrowserPath() {
   return `${window.location.pathname}${window.location.search}${window.location.hash}`;
 }
-function saveReturnToPath(returnTo) {
+function resolveReturnToPath(returnTo) {
   assertBrowserRuntime();
   const fallbackPath = getCurrentBrowserPath();
-  const sanitized = sanitizeReturnTo(returnTo ?? fallbackPath);
-  window.sessionStorage.setItem(authStorageKeys.returnTo, sanitized);
-  return sanitized;
-}
-function consumeReturnToPath() {
-  assertBrowserRuntime();
-  const value = window.sessionStorage.getItem(authStorageKeys.returnTo);
-  window.sessionStorage.removeItem(authStorageKeys.returnTo);
-  return sanitizeReturnTo(value);
+  return sanitizeReturnTo(returnTo ?? fallbackPath);
 }
 
 // src/core/session-store.ts
@@ -327,10 +336,6 @@ var SessionStore = class {
 };
 
 // src/core/auth-client.ts
-function createPendingRedirectPromise() {
-  return new Promise(() => {
-  });
-}
 function createInvalidSessionPayloadError(path) {
   return new AuthSdkError({
     code: authErrorCode.apiError,
@@ -345,29 +350,11 @@ function toValidatedSession(payload, path) {
   }
   return payload;
 }
-function toCallbackFailure(error) {
-  if (error instanceof AuthSdkError) {
-    if (error.status === httpStatus.unauthorized) {
-      return new AuthSdkError({
-        code: authErrorCode.callbackInvalidToken,
-        details: error.details,
-        message: "Callback JWT is invalid or expired.",
-        status: error.status
-      });
-    }
-    return new AuthSdkError({
-      code: authErrorCode.callbackValidationFailed,
-      details: error.details,
-      message: "Keycloak callback validation failed.",
-      status: error.status
-    });
+function toSessionPayload(payload, path) {
+  if (payload === null) {
+    return null;
   }
-  return new AuthSdkError({
-    code: authErrorCode.callbackValidationFailed,
-    details: error,
-    message: "Keycloak callback validation failed.",
-    status: null
-  });
+  return toValidatedSession(payload, path);
 }
 function createNoopBroadcastSync() {
   return {
@@ -389,25 +376,53 @@ function createSafeBroadcastSync(onSessionUpdated) {
     throw error;
   }
 }
-async function fetchCurrentSessionFromApi() {
-  const payload = await getJson(authEndpoints.session);
-  if (payload === null) {
-    return null;
-  }
-  return toValidatedSession(payload, authEndpoints.session);
+function toInitResult(session) {
+  return {
+    session,
+    status: session ? "authenticated" : "unauthenticated"
+  };
 }
-function createAuthClient() {
-  assertBrowserRuntime();
+function createAuthClient(options = {}) {
+  let initPromise = null;
+  const defaultApplication = options.application?.trim() || "";
   const sessionStore = new SessionStore();
   const broadcastSync = createSafeBroadcastSync((session) => {
     sessionStore.setSession(session);
   });
-  const getSession = async (options) => {
-    const forceRefresh = options?.forceRefresh ?? false;
+  const resolveEndpoint = (path) => resolveApiEndpoint(path, options.apiOrigin);
+  const loadSession = async () => {
+    const payload = await getJson(resolveEndpoint(authEndpoints.session));
+    return toSessionPayload(payload, authEndpoints.session);
+  };
+  const init = async (initOptions) => {
+    const forceRefresh = initOptions?.forceRefresh ?? false;
     if (sessionStore.hasResolvedSession() && !forceRefresh) {
-      return sessionStore.getSessionIfResolved();
+      return toInitResult(sessionStore.getSessionIfResolved());
+    }
+    if (initPromise) {
+      return initPromise;
     }
-    const session = await fetchCurrentSessionFromApi();
+    initPromise = (async () => {
+      const session = await loadSession();
+      sessionStore.setSession(session);
+      broadcastSync.publishSession(session);
+      return toInitResult(session);
+    })();
+    try {
+      return await initPromise;
+    } finally {
+      initPromise = null;
+    }
+  };
+  const getSession = async (requestOptions) => {
+    const result = await init({
+      forceRefresh: requestOptions?.forceRefresh ?? false
+    });
+    return result.session;
+  };
+  const refresh = async () => {
+    const payload = await postJsonWithoutBody(resolveEndpoint(authEndpoints.refresh));
+    const session = toSessionPayload(payload, authEndpoints.refresh);
     sessionStore.setSession(session);
     broadcastSync.publishSession(session);
     return session;
@@ -424,106 +439,32 @@ function createAuthClient() {
       status: httpStatus.unauthorized
     });
   };
-  const login = (options) => {
-    saveReturnToPath(options?.returnTo);
-    window.location.assign(authEndpoints.loginStart);
-  };
-  const processCallback = async () => {
-    const currentUrl = new URL(window.location.href);
-    const token = readCallbackToken(currentUrl);
-    if (!token) {
-      throw new AuthSdkError({
-        code: authErrorCode.callbackMissingToken,
-        details: null,
-        message: "Missing callback token query parameter.",
-        status: httpStatus.badRequest
-      });
+  const login = (loginOptions) => {
+    const returnTo = resolveReturnToPath(loginOptions?.returnTo);
+    const authorizeUrl = new URL(resolveEndpoint(authEndpoints.authorize), window.location.origin);
+    authorizeUrl.searchParams.set("return_to", returnTo);
+    const application = loginOptions?.application?.trim() || defaultApplication;
+    if (application) {
+      authorizeUrl.searchParams.set("app", application);
     }
-    const cleanedUrl = removeCallbackToken(currentUrl);
-    replaceBrowserHistory(cleanedUrl);
-    try {
-      const payload = await postJson(
-        authEndpoints.validateKeycloakToken,
-        { token }
-      );
-      const session = toValidatedSession(payload.session, authEndpoints.validateKeycloakToken);
-      sessionStore.setSession(session);
-      broadcastSync.publishSession(session);
-      return {
-        redirectTo: consumeReturnToPath(),
-        session
-      };
-    } catch (error) {
-      throw toCallbackFailure(error);
-    }
-  };
-  const completeCallbackRedirect = async () => {
-    const result = await processCallback();
-    window.location.replace(result.redirectTo);
-    return createPendingRedirectPromise();
+    window.location.assign(authorizeUrl.toString());
   };
   const logout = async () => {
-    await postEmpty(authEndpoints.logout);
+    await postEmpty(resolveEndpoint(authEndpoints.logout));
     sessionStore.setSession(null);
     broadcastSync.publishSession(null);
   };
   const subscribe = sessionStore.subscribe.bind(sessionStore);
   return {
-    completeCallbackRedirect,
+    init,
     getSession,
     login,
     logout,
-    processCallback,
+    refresh,
     requireSession,
     subscribe
   };
 }
-function normalizeAuthError(error) {
-  if (error instanceof AuthSdkError) {
-    return error;
-  }
-  return new AuthSdkError({
-    code: "callback_validation_failed",
-    details: error,
-    message: "Auth callback redirect failed.",
-    status: null
-  });
-}
-function useAuthCallbackRedirect(options = {}) {
-  const client = useMemo(() => options.client ?? createAuthClient(), [options.client]);
-  const [error, setError] = useState(null);
-  useEffect(() => {
-    let isActive = true;
-    void client.completeCallbackRedirect().catch((caughtError) => {
-      if (!isActive) {
-        return;
-      }
-      setError(normalizeAuthError(caughtError));
-    });
-    return () => {
-      isActive = false;
-    };
-  }, [client]);
-  if (error) {
-    return {
-      error,
-      status: "failed"
-    };
-  }
-  return {
-    error: null,
-    status: "processing"
-  };
-}
-function AuthCallbackHandler(props) {
-  const state = useAuthCallbackRedirect({
-    client: props.client
-  });
-  if (state.status === "failed" && state.error) {
-    return props.renderError(state.error);
-  }
-  return /* @__PURE__ */ jsx(Fragment, { children: props.processing });
-}
 var AuthContext = createContext(null);
 var initialLoadingState = true;
 function toAuthError(error) {
@@ -544,8 +485,8 @@ function createDeferredAuthClient() {
     return authClient;
   };
   return {
-    completeCallbackRedirect() {
-      return resolveClient().completeCallbackRedirect();
+    init(options) {
+      return resolveClient().init(options);
     },
     getSession(options) {
       return resolveClient().getSession(options);
@@ -556,8 +497,8 @@ function createDeferredAuthClient() {
     logout() {
       return resolveClient().logout();
     },
-    processCallback() {
-      return resolveClient().processCallback();
+    refresh() {
+      return resolveClient().refresh();
     },
     requireSession() {
       return resolveClient().requireSession();
@@ -573,23 +514,35 @@ function createDeferredAuthClient() {
 }
 function AuthProvider(props) {
   const authClient = useMemo(() => props.client ?? createDeferredAuthClient(), [props.client]);
-  const [session, setSession] = useState(null);
+  const [session, setSession] = useState(props.initialSession ?? null);
   const [error, setError] = useState(null);
-  const [isLoading, setIsLoading] = useState(initialLoadingState);
+  const [isLoading, setIsLoading] = useState(
+    props.initialSession === void 0 ? initialLoadingState : false
+  );
   useEffect(() => {
     let isActive = true;
+    const requiresBootstrap = props.initialSession === void 0;
+    if (!requiresBootstrap) {
+      setSession(props.initialSession ?? null);
+      setIsLoading(false);
+    }
     const unsubscribe = authClient.subscribe((nextSession) => {
       if (!isActive) {
         return;
       }
       setSession(nextSession);
-      setIsLoading(false);
     });
-    void authClient.getSession().then((nextSession) => {
+    if (!requiresBootstrap) {
+      return () => {
+        isActive = false;
+        unsubscribe();
+      };
+    }
+    void authClient.init().then((result) => {
       if (!isActive) {
         return;
       }
-      setSession(nextSession);
+      setSession(result.session);
     }).catch((caughtError) => {
       if (!isActive) {
         return;
@@ -605,7 +558,7 @@ function AuthProvider(props) {
       isActive = false;
       unsubscribe();
     };
-  }, [authClient]);
+  }, [authClient, props.initialSession]);
   const login = useCallback(
     (options) => {
       setError(null);
@@ -627,7 +580,7 @@ function AuthProvider(props) {
   const refresh = useCallback(async () => {
     setError(null);
     try {
-      const nextSession = await authClient.getSession({ forceRefresh: true });
+      const nextSession = await authClient.refresh();
       setSession(nextSession);
       return nextSession;
     } catch (caughtError) {
@@ -676,6 +629,6 @@ function AuthSessionGate(props) {
   return /* @__PURE__ */ jsx(Fragment, { children: props.authorized(auth.session) });
 }
 
-export { AuthCallbackHandler, AuthProvider, AuthSessionGate, useAuth, useAuthCallbackRedirect };
+export { AuthProvider, AuthSessionGate, useAuth };
 //# sourceMappingURL=react.js.map
 //# sourceMappingURL=react.js.map