@ghostly-solutions/auth 0.1.1 → 0.2.1

package/dist/next.js

@@ -1,18 +1,7 @@
-// src/constants/auth-endpoints.ts
-var authApiPrefix = "/v1/auth";
-var authEndpoints = {
-  loginStart: `${authApiPrefix}/keycloak/login`,
-  validateKeycloakToken: `${authApiPrefix}/keycloak/validate`,
-  session: `${authApiPrefix}/me`,
-  logout: `${authApiPrefix}/logout`
-};
-
 // src/constants/http-status.ts
 var httpStatus = {
   ok: 200,
-  found: 302,
   noContent: 204,
-  badRequest: 400,
   unauthorized: 401
 };
 
@@ -32,9 +21,6 @@ var AuthSdkError = class extends Error {
 
 // src/types/auth-error-code.ts
 var authErrorCode = {
-  callbackMissingToken: "callback_missing_token",
-  callbackInvalidToken: "callback_invalid_token",
-  callbackValidationFailed: "callback_validation_failed",
   unauthorized: "unauthorized",
   networkError: "network_error",
   apiError: "api_error",
@@ -42,6 +28,55 @@ var authErrorCode = {
   serverOriginResolutionFailed: "server_origin_resolution_failed"
 };
 
+// src/constants/auth-endpoints.ts
+var authApiPrefix = "/oauth";
+var authEndpoints = {
+  authorize: `${authApiPrefix}/authorize`,
+  session: `${authApiPrefix}/session`,
+  refresh: `${authApiPrefix}/refresh`,
+  logout: `${authApiPrefix}/logout`
+};
+
+// src/core/api-origin.ts
+var slash = "/";
+function normalizeApiOrigin(apiOrigin) {
+  const trimmed = apiOrigin.trim();
+  if (!trimmed) {
+    throw new AuthSdkError({
+      code: authErrorCode.apiError,
+      details: null,
+      message: "Auth API origin must be a non-empty absolute URL.",
+      status: null
+    });
+  }
+  let parsed;
+  try {
+    parsed = new URL(trimmed);
+  } catch (error) {
+    throw new AuthSdkError({
+      code: authErrorCode.apiError,
+      details: error,
+      message: "Auth API origin must be a valid absolute URL.",
+      status: null
+    });
+  }
+  if (parsed.pathname !== slash || parsed.search || parsed.hash) {
+    throw new AuthSdkError({
+      code: authErrorCode.apiError,
+      details: null,
+      message: "Auth API origin must not include path, query, or hash.",
+      status: null
+    });
+  }
+  return parsed.origin;
+}
+function resolveApiEndpoint(path, apiOrigin) {
+  if (!apiOrigin) {
+    return path;
+  }
+  return `${normalizeApiOrigin(apiOrigin)}${path}`;
+}
+
 // src/core/object-guards.ts
 function isObjectRecord(value) {
   return typeof value === "object" && value !== null;
@@ -67,7 +102,15 @@ var fallbackHostHeaderName = "host";
 var forwardedProtoHeaderName = "x-forwarded-proto";
 var defaultProtocol = "https";
 var protocolSeparator = "://";
-var forwardedSessionHeaderNames = ["cookie", "authorization", "x-request-id"];
+var forwardedSessionHeaderNames = [
+  "accept-language",
+  "authorization",
+  "cookie",
+  "user-agent",
+  "x-forwarded-for",
+  "x-real-ip",
+  "x-request-id"
+];
 function resolveServerOrigin(options) {
   const host = options.headers.get(hostHeaderName) ?? options.headers.get(fallbackHostHeaderName);
   if (!host) {
@@ -107,8 +150,9 @@ function parseSessionPayload(payload) {
 }
 async function getServerSession(options) {
   const fetchImplementation = options.fetchImplementation ?? fetch;
-  const origin = resolveServerOrigin(options);
-  const response = await fetchImplementation(`${origin}${authEndpoints.session}`, {
+  const fallbackOrigin = options.apiOrigin ? void 0 : resolveServerOrigin(options);
+  const endpoint = resolveApiEndpoint(authEndpoints.session, options.apiOrigin ?? fallbackOrigin);
+  const response = await fetchImplementation(endpoint, {
     cache: "no-store",
     credentials: "include",
     headers: forwardSessionHeaders(options.headers),
@@ -147,110 +191,6 @@ async function requireServerSession(options) {
 }
 
 // src/adapters/next/auth-kit.ts
-var defaultCallbackToken = "mock-keycloak-token";
-var defaultCookieName = "gs_auth_session";
-var defaultCookieValue = "mock-session-super-admin";
-var defaultFrontendCallbackPath = "/auth/callback";
-var callbackCodePrefix = "mock_code_";
-var callbackStatePrefix = "mock_state_";
-var clearCookieDate = "Thu, 01 Jan 1970 00:00:00 GMT";
-var proxyForwardedHeaderNames = [
-  "accept-language",
-  "authorization",
-  "cookie",
-  "content-type",
-  "x-request-id"
-];
-function defaultMockSessionFactory() {
-  return {
-    id: "123",
-    username: "john_doe",
-    firstName: "John",
-    lastName: "Doe",
-    email: "john.doe@ghostlysolutions.ae",
-    role: "superAdmin",
-    permissions: [
-      "users:view",
-      "tasks:view",
-      "analytics:view",
-      "settings:view",
-      "audit-logs:view",
-      "admins:view"
-    ]
-  };
-}
-function createErrorPayload(code, message, details = null) {
-  return { code, message, details };
-}
-function toJsonResponse(payload, status) {
-  return new Response(JSON.stringify(payload), {
-    status,
-    headers: {
-      "content-type": "application/json"
-    }
-  });
-}
-function parseCookieValue(cookieHeader, cookieName) {
-  if (!cookieHeader) {
-    return null;
-  }
-  const prefix = `${cookieName}=`;
-  const pairs = cookieHeader.split(";").map((pair) => pair.trim());
-  const match = pairs.find((pair) => pair.startsWith(prefix));
-  return match ? match.slice(prefix.length) : null;
-}
-function shouldForwardBody(method) {
-  const normalized = method.toUpperCase();
-  return normalized !== "GET" && normalized !== "HEAD";
-}
-function resolveSecureCookie(requestUrl, secureMode) {
-  if (typeof secureMode === "boolean") {
-    return secureMode;
-  }
-  if (requestUrl.protocol !== "https:") {
-    return false;
-  }
-  const hostname = requestUrl.hostname.toLowerCase();
-  return hostname !== "localhost" && hostname !== "127.0.0.1";
-}
-function toSetCookieHeader(options) {
-  const attributes = ["Path=/", "HttpOnly", "SameSite=Lax"];
-  if (options.secure) {
-    attributes.push("Secure");
-  }
-  if (options.clear) {
-    attributes.push("Max-Age=0");
-    attributes.push(`Expires=${clearCookieDate}`);
-  }
-  return `${options.cookieName}=${options.cookieValue}; ${attributes.join("; ")}`;
-}
-async function proxyRequest(baseUrl, request2) {
-  const incomingUrl = new URL(request2.url);
-  const targetUrl = new URL(incomingUrl.pathname + incomingUrl.search, baseUrl);
-  const proxyHeaders = new Headers();
-  for (const headerName of proxyForwardedHeaderNames) {
-    const value = request2.headers.get(headerName);
-    if (value) {
-      proxyHeaders.set(headerName, value);
-    }
-  }
-  const body = shouldForwardBody(request2.method) ? await request2.text() : void 0;
-  const upstreamResponse = await fetch(targetUrl, {
-    method: request2.method,
-    headers: proxyHeaders,
-    cache: "no-store",
-    redirect: "manual",
-    ...body !== void 0 ? { body } : {}
-  });
-  const responseHeaders = new Headers();
-  for (const [headerName, headerValue] of upstreamResponse.headers.entries()) {
-    responseHeaders.set(headerName, headerValue);
-  }
-  return new Response(upstreamResponse.body, {
-    status: upstreamResponse.status,
-    headers: responseHeaders
-  });
-}
 async function resolveNextHeaders() {
   try {
     const importNextHeaders = new Function("return import('next/headers')");
@@ -281,26 +221,11 @@ function resolveNextProtocol(headers, explicitProtocol) {
   const normalizedHost = host.toLowerCase();
   return normalizedHost.includes("localhost") || normalizedHost.includes("127.0.0.1") ? "http" : "https";
 }
-function normalizeMockToken(payload) {
-  if (typeof payload !== "object" || payload === null || Array.isArray(payload)) {
-    return null;
-  }
-  const recordPayload = payload;
-  const keys = Object.keys(recordPayload);
-  if (keys.length !== 1 || !keys.includes("token")) {
-    return null;
-  }
-  const tokenValue = recordPayload.token;
-  if (typeof tokenValue !== "string") {
-    return null;
-  }
-  const normalized = tokenValue.trim();
-  return normalized.length > 0 ? normalized : null;
-}
 async function getNextServerSession(options = {}) {
   const headers = options.headers ?? await resolveNextHeaders();
   const protocol = resolveNextProtocol(headers, options.protocol);
   return getServerSession({
+    apiOrigin: options.apiOrigin,
     headers,
     protocol,
     ...options.fetchImplementation ? { fetchImplementation: options.fetchImplementation } : {}
@@ -325,154 +250,15 @@ async function requireNextServerSession(options = {}) {
     status: httpStatus.unauthorized
   });
 }
-function createNextAuthRouteHandlers(options) {
-  const callbackToken = options.mock?.callbackToken ?? defaultCallbackToken;
-  const cookieName = options.mock?.cookieName ?? defaultCookieName;
-  const cookieValue = options.mock?.cookieValue ?? defaultCookieValue;
-  const cookieSecure = options.mock?.cookieSecure ?? "auto";
-  const frontendCallbackPath = options.mock?.frontendCallbackPath ?? defaultFrontendCallbackPath;
-  const createSession = options.mock?.createSession ?? defaultMockSessionFactory;
-  const proxyOptions = options.proxy;
-  if (options.mode === "proxy" && !proxyOptions?.baseUrl) {
-    throw new AuthSdkError({
-      code: authErrorCode.apiError,
-      details: null,
-      message: "proxy.baseUrl is required in proxy mode.",
-      status: null
-    });
-  }
-  const proxyIfNeeded = async (request2) => {
-    if (options.mode !== "proxy") {
-      return null;
-    }
-    return proxyRequest(proxyOptions?.baseUrl ?? "", request2);
-  };
-  return {
-    keycloakLoginGet: async (request2) => {
-      const proxied = await proxyIfNeeded(request2);
-      if (proxied) {
-        return proxied;
-      }
-      const code = `${callbackCodePrefix}${crypto.randomUUID()}`;
-      const state = `${callbackStatePrefix}${crypto.randomUUID()}`;
-      const redirectTarget = `${authEndpoints.loginStart.replace("/login", "/callback")}?code=${encodeURIComponent(code)}&state=${encodeURIComponent(state)}`;
-      return new Response(null, {
-        status: httpStatus.found,
-        headers: {
-          location: redirectTarget
-        }
-      });
-    },
-    keycloakCallbackGet: async (request2) => {
-      const proxied = await proxyIfNeeded(request2);
-      if (proxied) {
-        return proxied;
-      }
-      const requestUrl = new URL(request2.url);
-      const code = requestUrl.searchParams.get("code")?.trim();
-      const state = requestUrl.searchParams.get("state")?.trim();
-      if (!(code && state)) {
-        return toJsonResponse(
-          createErrorPayload("bad_request", "code and state are required."),
-          httpStatus.badRequest
-        );
-      }
-      const callbackUrl = `${frontendCallbackPath}?token=${encodeURIComponent(callbackToken)}`;
-      return new Response(null, {
-        status: httpStatus.found,
-        headers: {
-          location: callbackUrl
-        }
-      });
-    },
-    keycloakValidatePost: async (request2) => {
-      const proxied = await proxyIfNeeded(request2);
-      if (proxied) {
-        return proxied;
-      }
-      let payload;
-      try {
-        payload = await request2.json();
-      } catch {
-        return toJsonResponse(
-          createErrorPayload("bad_request", "Request payload must be valid JSON."),
-          httpStatus.badRequest
-        );
-      }
-      const token = normalizeMockToken(payload);
-      if (!token) {
-        return toJsonResponse(
-          createErrorPayload(
-            "bad_request",
-            "Request payload must contain only non-empty token field."
-          ),
-          httpStatus.badRequest
-        );
-      }
-      if (token !== callbackToken) {
-        return toJsonResponse(
-          createErrorPayload("unauthorized", "Callback token is invalid or expired."),
-          httpStatus.unauthorized
-        );
-      }
-      const session = createSession();
-      const responsePayload = { session };
-      const secure = resolveSecureCookie(new URL(request2.url), cookieSecure);
-      return new Response(JSON.stringify(responsePayload), {
-        status: httpStatus.ok,
-        headers: {
-          "content-type": "application/json",
-          "set-cookie": toSetCookieHeader({
-            cookieName,
-            cookieValue,
-            secure
-          })
-        }
-      });
-    },
-    meGet: async (request2) => {
-      const proxied = await proxyIfNeeded(request2);
-      if (proxied) {
-        return proxied;
-      }
-      const cookie = request2.headers.get("cookie");
-      const session = parseCookieValue(cookie, cookieName) === cookieValue ? createSession() : null;
-      return toJsonResponse(session, httpStatus.ok);
-    },
-    logoutPost: async (request2) => {
-      const proxied = await proxyIfNeeded(request2);
-      if (proxied) {
-        return proxied;
-      }
-      const secure = resolveSecureCookie(new URL(request2.url), cookieSecure);
-      return new Response(null, {
-        status: httpStatus.noContent,
-        headers: {
-          "set-cookie": toSetCookieHeader({
-            cookieName,
-            cookieValue: "",
-            secure,
-            clear: true
-          })
-        }
-      });
-    }
-  };
-}
 
 // src/constants/auth-keys.ts
-var authQueryKeys = {
-  token: "token"
-};
-var authStorageKeys = {
-  returnTo: "ghostly-auth:return-to"
-};
 var authBroadcast = {
   channelName: "ghostly-auth-channel",
   sessionUpdatedEvent: "session-updated"
 };
 var authRoutes = {
-  root: "/"};
+  root: "/"
+};
 
 // src/core/broadcast-sync.ts
 function isSessionUpdatedMessage(value) {
@@ -523,19 +309,6 @@ function createBroadcastSync(options) {
   };
 }
 
-// src/core/callback-url.ts
-function readCallbackToken(url) {
-  return url.searchParams.get(authQueryKeys.token);
-}
-function removeCallbackToken(url) {
-  const nextUrl = new URL(url.toString());
-  nextUrl.searchParams.delete(authQueryKeys.token);
-  return nextUrl;
-}
-function replaceBrowserHistory(url) {
-  window.history.replaceState(null, "", url.toString());
-}
-
 // src/core/http-client.ts
 var jsonContentType = "application/json";
 var jsonHeaderName = "content-type";
@@ -631,9 +404,8 @@ function getJson(path) {
     path
   });
 }
-function postJson(path, body) {
+function postJsonWithoutBody(path) {
   return request({
-    body,
     method: "POST",
     path
   });
@@ -680,18 +452,10 @@ function sanitizeReturnTo(value) {
 function getCurrentBrowserPath() {
   return `${window.location.pathname}${window.location.search}${window.location.hash}`;
 }
-function saveReturnToPath(returnTo) {
+function resolveReturnToPath(returnTo) {
   assertBrowserRuntime();
   const fallbackPath = getCurrentBrowserPath();
-  const sanitized = sanitizeReturnTo(returnTo ?? fallbackPath);
-  window.sessionStorage.setItem(authStorageKeys.returnTo, sanitized);
-  return sanitized;
-}
-function consumeReturnToPath() {
-  assertBrowserRuntime();
-  const value = window.sessionStorage.getItem(authStorageKeys.returnTo);
-  window.sessionStorage.removeItem(authStorageKeys.returnTo);
-  return sanitizeReturnTo(value);
+  return sanitizeReturnTo(returnTo ?? fallbackPath);
 }
 
 // src/core/session-store.ts
@@ -724,10 +488,6 @@ var SessionStore = class {
 };
 
 // src/core/auth-client.ts
-function createPendingRedirectPromise() {
-  return new Promise(() => {
-  });
-}
 function createInvalidSessionPayloadError(path) {
   return new AuthSdkError({
     code: authErrorCode.apiError,
@@ -742,29 +502,11 @@ function toValidatedSession(payload, path) {
   }
   return payload;
 }
-function toCallbackFailure(error) {
-  if (error instanceof AuthSdkError) {
-    if (error.status === httpStatus.unauthorized) {
-      return new AuthSdkError({
-        code: authErrorCode.callbackInvalidToken,
-        details: error.details,
-        message: "Callback JWT is invalid or expired.",
-        status: error.status
-      });
-    }
-    return new AuthSdkError({
-      code: authErrorCode.callbackValidationFailed,
-      details: error.details,
-      message: "Keycloak callback validation failed.",
-      status: error.status
-    });
+function toSessionPayload(payload, path) {
+  if (payload === null) {
+    return null;
   }
-  return new AuthSdkError({
-    code: authErrorCode.callbackValidationFailed,
-    details: error,
-    message: "Keycloak callback validation failed.",
-    status: null
-  });
+  return toValidatedSession(payload, path);
 }
 function createNoopBroadcastSync() {
   return {
@@ -786,25 +528,53 @@ function createSafeBroadcastSync(onSessionUpdated) {
     throw error;
   }
 }
-async function fetchCurrentSessionFromApi() {
-  const payload = await getJson(authEndpoints.session);
-  if (payload === null) {
-    return null;
-  }
-  return toValidatedSession(payload, authEndpoints.session);
+function toInitResult(session) {
+  return {
+    session,
+    status: session ? "authenticated" : "unauthenticated"
+  };
 }
-function createAuthClient() {
-  assertBrowserRuntime();
+function createAuthClient(options = {}) {
+  let initPromise = null;
+  const defaultApplication = options.application?.trim() || "";
   const sessionStore = new SessionStore();
   const broadcastSync = createSafeBroadcastSync((session) => {
     sessionStore.setSession(session);
   });
-  const getSession = async (options) => {
-    const forceRefresh = options?.forceRefresh ?? false;
+  const resolveEndpoint = (path) => resolveApiEndpoint(path, options.apiOrigin);
+  const loadSession = async () => {
+    const payload = await getJson(resolveEndpoint(authEndpoints.session));
+    return toSessionPayload(payload, authEndpoints.session);
+  };
+  const init = async (initOptions) => {
+    const forceRefresh = initOptions?.forceRefresh ?? false;
     if (sessionStore.hasResolvedSession() && !forceRefresh) {
-      return sessionStore.getSessionIfResolved();
+      return toInitResult(sessionStore.getSessionIfResolved());
+    }
+    if (initPromise) {
+      return initPromise;
     }
-    const session = await fetchCurrentSessionFromApi();
+    initPromise = (async () => {
+      const session = await loadSession();
+      sessionStore.setSession(session);
+      broadcastSync.publishSession(session);
+      return toInitResult(session);
+    })();
+    try {
+      return await initPromise;
+    } finally {
+      initPromise = null;
+    }
+  };
+  const getSession = async (requestOptions) => {
+    const result = await init({
+      forceRefresh: requestOptions?.forceRefresh ?? false
+    });
+    return result.session;
+  };
+  const refresh = async () => {
+    const payload = await postJsonWithoutBody(resolveEndpoint(authEndpoints.refresh));
+    const session = toSessionPayload(payload, authEndpoints.refresh);
     sessionStore.setSession(session);
     broadcastSync.publishSession(session);
     return session;
@@ -821,63 +591,35 @@ function createAuthClient() {
       status: httpStatus.unauthorized
     });
   };
-  const login = (options) => {
-    saveReturnToPath(options?.returnTo);
-    window.location.assign(authEndpoints.loginStart);
-  };
-  const processCallback = async () => {
-    const currentUrl = new URL(window.location.href);
-    const token = readCallbackToken(currentUrl);
-    if (!token) {
-      throw new AuthSdkError({
-        code: authErrorCode.callbackMissingToken,
-        details: null,
-        message: "Missing callback token query parameter.",
-        status: httpStatus.badRequest
-      });
-    }
-    const cleanedUrl = removeCallbackToken(currentUrl);
-    replaceBrowserHistory(cleanedUrl);
-    try {
-      const payload = await postJson(
-        authEndpoints.validateKeycloakToken,
-        { token }
-      );
-      const session = toValidatedSession(payload.session, authEndpoints.validateKeycloakToken);
-      sessionStore.setSession(session);
-      broadcastSync.publishSession(session);
-      return {
-        redirectTo: consumeReturnToPath(),
-        session
-      };
-    } catch (error) {
-      throw toCallbackFailure(error);
+  const login = (loginOptions) => {
+    const returnTo = resolveReturnToPath(loginOptions?.returnTo);
+    const authorizeUrl = new URL(resolveEndpoint(authEndpoints.authorize), window.location.origin);
+    authorizeUrl.searchParams.set("return_to", returnTo);
+    const application = loginOptions?.application?.trim() || defaultApplication;
+    if (application) {
+      authorizeUrl.searchParams.set("app", application);
     }
-  };
-  const completeCallbackRedirect = async () => {
-    const result = await processCallback();
-    window.location.replace(result.redirectTo);
-    return createPendingRedirectPromise();
+    window.location.assign(authorizeUrl.toString());
   };
   const logout = async () => {
-    await postEmpty(authEndpoints.logout);
+    await postEmpty(resolveEndpoint(authEndpoints.logout));
     sessionStore.setSession(null);
     broadcastSync.publishSession(null);
   };
   const subscribe = sessionStore.subscribe.bind(sessionStore);
   return {
-    completeCallbackRedirect,
+    init,
     getSession,
     login,
     logout,
-    processCallback,
+    refresh,
     requireSession,
     subscribe
   };
 }
 
 // src/adapters/next/client-guard.ts
-function createPendingRedirectPromise2() {
+function createPendingRedirectPromise() {
   return new Promise(() => {
   });
 }
@@ -888,12 +630,12 @@ async function ensureClientAuthenticated(client) {
   } catch (error) {
     if (error instanceof AuthSdkError && error.code === authErrorCode.unauthorized) {
       authClient.login();
-      return createPendingRedirectPromise2();
+      return createPendingRedirectPromise();
     }
     throw error;
   }
 }
 
-export { createNextAuthRouteHandlers, ensureClientAuthenticated, getNextServerSession, getServerSession, requireNextServerSession, requireServerSession, tryGetNextServerSession };
+export { ensureClientAuthenticated, getNextServerSession, getServerSession, requireNextServerSession, requireServerSession, tryGetNextServerSession };
 //# sourceMappingURL=next.js.map
 //# sourceMappingURL=next.js.map