@ghostly-solutions/auth 0.2.1 → 0.2.3

package/dist/extension.js

@@ -2,11 +2,19 @@
 var authApiPrefix = "/oauth";
 var authEndpoints = {
   authorize: `${authApiPrefix}/authorize`,
+  extensionToken: `${authApiPrefix}/extension/token`,
   session: `${authApiPrefix}/session`,
   refresh: `${authApiPrefix}/refresh`,
   logout: `${authApiPrefix}/logout`
 };
 
+// src/constants/http-status.ts
+var httpStatus = {
+  ok: 200,
+  noContent: 204,
+  unauthorized: 401
+};
+
 // src/errors/auth-sdk-error.ts
 var AuthSdkError = class extends Error {
   code;
@@ -68,13 +76,6 @@ function resolveApiEndpoint(path, apiOrigin) {
   return `${normalizeApiOrigin(apiOrigin)}${path}`;
 }
 
-// src/constants/http-status.ts
-var httpStatus = {
-  ok: 200,
-  noContent: 204,
-  unauthorized: 401
-};
-
 // src/constants/auth-keys.ts
 var authBroadcast = {
   channelName: "ghostly-auth-channel",
@@ -152,115 +153,6 @@ function createBroadcastSync(options) {
   };
 }
 
-// src/core/http-client.ts
-var jsonContentType = "application/json";
-var jsonHeaderName = "content-type";
-var includeCredentials = "include";
-var noStoreCache = "no-store";
-function toTypedValue(value) {
-  return value;
-}
-function mapHttpStatusToAuthErrorCode(status) {
-  if (status === httpStatus.unauthorized) {
-    return authErrorCode.unauthorized;
-  }
-  return authErrorCode.apiError;
-}
-async function parseJsonPayload(response) {
-  try {
-    return await response.json();
-  } catch {
-    return null;
-  }
-}
-async function parseErrorPayload(response) {
-  const payload = await parseJsonPayload(response);
-  if (!isObjectRecord(payload)) {
-    return {
-      code: null,
-      details: null,
-      message: null
-    };
-  }
-  const maybeCode = payload.code;
-  const maybeMessage = payload.message;
-  return {
-    code: isStringValue(maybeCode) ? maybeCode : null,
-    details: "details" in payload ? payload.details : null,
-    message: isStringValue(maybeMessage) ? maybeMessage : null
-  };
-}
-function buildApiErrorMessage(method, path) {
-  return `Auth API request failed: ${method} ${path}`;
-}
-function buildNetworkErrorMessage(method, path) {
-  return `Auth API network failure: ${method} ${path}`;
-}
-async function request(options) {
-  const expectedStatus = options.expectedStatus ?? httpStatus.ok;
-  const headers = new Headers();
-  const hasBody = typeof options.body !== "undefined";
-  if (hasBody) {
-    headers.set(jsonHeaderName, jsonContentType);
-  }
-  const requestInit = {
-    cache: noStoreCache,
-    credentials: includeCredentials,
-    headers,
-    method: options.method
-  };
-  if (hasBody) {
-    requestInit.body = JSON.stringify(options.body);
-  }
-  let response;
-  try {
-    response = await fetch(options.path, requestInit);
-  } catch (error) {
-    throw new AuthSdkError({
-      code: authErrorCode.networkError,
-      details: error,
-      message: buildNetworkErrorMessage(options.method, options.path),
-      status: null
-    });
-  }
-  if (response.status !== expectedStatus) {
-    const parsed = await parseErrorPayload(response);
-    throw new AuthSdkError({
-      code: mapHttpStatusToAuthErrorCode(response.status),
-      details: {
-        apiCode: parsed.code,
-        apiDetails: parsed.details
-      },
-      message: parsed.message ?? buildApiErrorMessage(options.method, options.path),
-      status: response.status
-    });
-  }
-  if (response.status === httpStatus.noContent) {
-    return toTypedValue(null);
-  }
-  const payload = await parseJsonPayload(response);
-  return toTypedValue(payload);
-}
-function getJson(path) {
-  return request({
-    method: "GET",
-    path
-  });
-}
-function postJsonWithoutBody(path) {
-  return request({
-    method: "POST",
-    path
-  });
-}
-function postEmpty(path) {
-  return request({
-    expectedStatus: httpStatus.noContent,
-    method: "POST",
-    path
-  });
-}
-
 // src/core/runtime.ts
 var browserRuntimeErrorMessage = "Browser runtime is required for this auth operation.";
 function isBrowserRuntime() {
@@ -330,27 +222,11 @@ var SessionStore = class {
   }
 };
 
-// src/core/auth-client.ts
-function createInvalidSessionPayloadError(path) {
-  return new AuthSdkError({
-    code: authErrorCode.apiError,
-    details: null,
-    message: `Auth API response has invalid session shape: ${path}`,
-    status: null
-  });
-}
-function toValidatedSession(payload, path) {
-  if (!isGhostlySession(payload)) {
-    throw createInvalidSessionPayloadError(path);
-  }
-  return payload;
-}
-function toSessionPayload(payload, path) {
-  if (payload === null) {
-    return null;
-  }
-  return toValidatedSession(payload, path);
-}
+// src/adapters/extension/auth-client.ts
+var extensionSessionHeader = "X-Ghostly-Session-Id";
+var includeCredentials = "include";
+var noStoreCache = "no-store";
+var tokenFreshnessLeewayMs = 6e4;
 function createNoopBroadcastSync() {
   return {
     close() {
@@ -371,25 +247,142 @@ function createSafeBroadcastSync(onSessionUpdated) {
     throw error;
   }
 }
+function buildApiErrorMessage(method, path) {
+  return `Auth API request failed: ${method} ${path}`;
+}
+function buildNetworkErrorMessage(method, path) {
+  return `Auth API network failure: ${method} ${path}`;
+}
+function createInvalidSessionPayloadError(path) {
+  return new AuthSdkError({
+    code: authErrorCode.apiError,
+    details: null,
+    message: `Auth API response has invalid session shape: ${path}`,
+    status: null
+  });
+}
 function toInitResult(session) {
   return {
     session,
     status: session ? "authenticated" : "unauthenticated"
   };
 }
-function createAuthClient(options = {}) {
-  let initPromise = null;
-  const defaultApplication = options.application?.trim() || "";
-  const sessionStore = new SessionStore();
-  const broadcastSync = createSafeBroadcastSync((session) => {
-    sessionStore.setSession(session);
-  });
+function parseSessionPayload(payload, path) {
+  if (payload === null) {
+    return null;
+  }
+  if (!isGhostlySession(payload)) {
+    throw createInvalidSessionPayloadError(path);
+  }
+  return payload;
+}
+function isExtensionAccessToken(value) {
+  if (!isObjectRecord(value)) {
+    return false;
+  }
+  return isStringValue(value.accessToken) && isStringValue(value.application) && (value.expiresAt === null || isStringValue(value.expiresAt)) && (value.session === null || isGhostlySession(value.session)) && isStringValue(value.tokenType);
+}
+function isStoredTokenFresh(token) {
+  if (!token || !token.accessToken.trim()) {
+    return false;
+  }
+  if (!token.expiresAt) {
+    return true;
+  }
+  const expiresAt = Date.parse(token.expiresAt);
+  if (Number.isNaN(expiresAt)) {
+    return false;
+  }
+  return expiresAt - Date.now() > tokenFreshnessLeewayMs;
+}
+function buildAuthorizeUrl(apiOrigin, returnTo, application) {
+  const authorizeEndpoint = resolveApiEndpoint(authEndpoints.authorize, apiOrigin);
+  const authorizeUrl = new URL(authorizeEndpoint, window.location.origin);
+  authorizeUrl.searchParams.set("return_to", returnTo);
+  if (application?.trim()) {
+    authorizeUrl.searchParams.set("app", application.trim());
+  }
+  return authorizeUrl.toString();
+}
+function resolveExtensionReturnToPath(requestedReturnTo, defaultReturnToPath) {
+  if (requestedReturnTo?.trim()) {
+    return resolveReturnToPath(requestedReturnTo);
+  }
+  if (defaultReturnToPath?.trim()) {
+    return resolveReturnToPath(defaultReturnToPath);
+  }
+  return resolveReturnToPath(requestedReturnTo);
+}
+function parseErrorPayload(payload) {
+  if (!isObjectRecord(payload)) {
+    return {
+      details: null,
+      message: null
+    };
+  }
+  return {
+    details: "details" in payload ? payload.details : null,
+    message: isStringValue(payload.message) ? payload.message : isStringValue(payload.error) ? payload.error : null
+  };
+}
+function createRequest(options) {
   const resolveEndpoint = (path) => resolveApiEndpoint(path, options.apiOrigin);
-  const loadSession = async () => {
-    const payload = await getJson(resolveEndpoint(authEndpoints.session));
-    return toSessionPayload(payload, authEndpoints.session);
+  return async function request(requestOptions) {
+    const expectedStatus = requestOptions.expectedStatus ?? httpStatus.ok;
+    const headers = new Headers();
+    const sessionId = (await options.resolveSessionId?.())?.trim() || "";
+    if (sessionId) {
+      headers.set(extensionSessionHeader, sessionId);
+    }
+    let response;
+    try {
+      response = await fetch(resolveEndpoint(requestOptions.path), {
+        cache: noStoreCache,
+        credentials: includeCredentials,
+        headers,
+        method: requestOptions.method
+      });
+    } catch (error) {
+      throw new AuthSdkError({
+        code: authErrorCode.networkError,
+        details: error,
+        message: buildNetworkErrorMessage(requestOptions.method, requestOptions.path),
+        status: null
+      });
+    }
+    if (response.status !== expectedStatus) {
+      let parsedPayload = null;
+      try {
+        parsedPayload = await response.json();
+      } catch {
+        parsedPayload = null;
+      }
+      const parsed = parseErrorPayload(parsedPayload);
+      throw new AuthSdkError({
+        code: response.status === httpStatus.unauthorized ? authErrorCode.unauthorized : authErrorCode.apiError,
+        details: parsed.details,
+        message: parsed.message ?? buildApiErrorMessage(requestOptions.method, requestOptions.path),
+        status: response.status
+      });
+    }
+    if (response.status === httpStatus.noContent) {
+      return null;
+    }
+    return await response.json();
+  };
+}
+function createLoadSession(request) {
+  return async () => {
+    const payload = await request({
+      method: "GET",
+      path: authEndpoints.session
+    });
+    return parseSessionPayload(payload, authEndpoints.session);
   };
-  const init = async (initOptions) => {
+}
+function createInit(sessionStore, loadSession, publishSession) {
+  let initPromise = null;
+  return async (initOptions) => {
     const forceRefresh = initOptions?.forceRefresh ?? false;
     if (sessionStore.hasResolvedSession() && !forceRefresh) {
       return toInitResult(sessionStore.getSessionIfResolved());
@@ -400,7 +393,7 @@ function createAuthClient(options = {}) {
     initPromise = (async () => {
       const session = await loadSession();
       sessionStore.setSession(session);
-      broadcastSync.publishSession(session);
+      publishSession(session);
       return toInitResult(session);
     })();
     try {
@@ -409,19 +402,91 @@ function createAuthClient(options = {}) {
       initPromise = null;
     }
   };
+}
+function createRefresh(request, sessionStore, publishSession) {
+  return async () => {
+    const payload = await request({
+      method: "POST",
+      path: authEndpoints.refresh
+    });
+    const session = parseSessionPayload(payload, authEndpoints.refresh);
+    sessionStore.setSession(session);
+    publishSession(session);
+    return session;
+  };
+}
+function createGetAccessToken(request, sessionStore, publishSession, persistAccessToken, restoreAccessToken) {
+  return async (requestOptions) => {
+    const forceRefresh = requestOptions?.forceRefresh ?? false;
+    const stored = await restoreAccessToken?.() ?? null;
+    if (!forceRefresh && isStoredTokenFresh(stored)) {
+      if (stored.session) {
+        sessionStore.setSession(stored.session);
+      }
+      return stored;
+    }
+    const payload = await request({
+      method: "GET",
+      path: authEndpoints.extensionToken
+    });
+    if (!isExtensionAccessToken(payload)) {
+      throw new AuthSdkError({
+        code: authErrorCode.apiError,
+        details: null,
+        message: `Auth API response has invalid extension token shape: ${authEndpoints.extensionToken}`,
+        status: null
+      });
+    }
+    const nextToken = {
+      accessToken: payload.accessToken,
+      application: payload.application,
+      expiresAt: payload.expiresAt,
+      session: payload.session,
+      tokenType: payload.tokenType
+    };
+    sessionStore.setSession(nextToken.session);
+    publishSession(nextToken.session);
+    await persistAccessToken?.(nextToken);
+    return nextToken;
+  };
+}
+function createLogout(request, sessionStore, publishSession, options) {
+  return async () => {
+    await request({
+      expectedStatus: httpStatus.noContent,
+      method: "POST",
+      path: authEndpoints.logout
+    });
+    await options.clearSessionId?.();
+    sessionStore.setSession(null);
+    publishSession(null);
+    await options.persistAccessToken?.(null);
+  };
+}
+function createCustomExtensionAuthClient(options) {
+  const sessionStore = new SessionStore();
+  const broadcastSync = createSafeBroadcastSync((session) => {
+    sessionStore.setSession(session);
+  });
+  const publishSession = broadcastSync.publishSession.bind(broadcastSync);
+  const request = createRequest(options);
+  const loadSession = createLoadSession(request);
+  const init = createInit(sessionStore, loadSession, publishSession);
+  const refresh = createRefresh(request, sessionStore, publishSession);
+  const getAccessToken = createGetAccessToken(
+    request,
+    sessionStore,
+    publishSession,
+    options.persistAccessToken,
+    options.restoreAccessToken
+  );
+  const logout = createLogout(request, sessionStore, publishSession, options);
   const getSession = async (requestOptions) => {
     const result = await init({
       forceRefresh: requestOptions?.forceRefresh ?? false
     });
     return result.session;
   };
-  const refresh = async () => {
-    const payload = await postJsonWithoutBody(resolveEndpoint(authEndpoints.refresh));
-    const session = toSessionPayload(payload, authEndpoints.refresh);
-    sessionStore.setSession(session);
-    broadcastSync.publishSession(session);
-    return session;
-  };
   const requireSession = async () => {
     const session = await getSession();
     if (session) {
@@ -434,50 +499,31 @@ function createAuthClient(options = {}) {
       status: httpStatus.unauthorized
     });
   };
-  const login = (loginOptions) => {
-    const returnTo = resolveReturnToPath(loginOptions?.returnTo);
-    const authorizeUrl = new URL(resolveEndpoint(authEndpoints.authorize), window.location.origin);
-    authorizeUrl.searchParams.set("return_to", returnTo);
-    const application = loginOptions?.application?.trim() || defaultApplication;
-    if (application) {
-      authorizeUrl.searchParams.set("app", application);
+  const loginWithTabFlow = async (loginOptions) => {
+    if (!options.openAuthorizePage) {
+      throw new Error("Extension auth client requires openAuthorizePage for tab login flow.");
     }
-    window.location.assign(authorizeUrl.toString());
-  };
-  const logout = async () => {
-    await postEmpty(resolveEndpoint(authEndpoints.logout));
-    sessionStore.setSession(null);
-    broadcastSync.publishSession(null);
-  };
-  const subscribe = sessionStore.subscribe.bind(sessionStore);
-  return {
-    init,
-    getSession,
-    login,
-    logout,
-    refresh,
-    requireSession,
-    subscribe
+    const returnTo = resolveExtensionReturnToPath(
+      loginOptions?.returnTo,
+      options.defaultReturnToPath
+    );
+    const authorizeUrl = buildAuthorizeUrl(
+      options.apiOrigin,
+      returnTo,
+      loginOptions?.application ?? options.application
+    );
+    await options.openAuthorizePage({
+      authorizeUrl
+    });
   };
-}
-
-// src/adapters/extension/auth-client.ts
-function buildAuthorizeUrl(apiOrigin, returnTo, application) {
-  const authorizeEndpoint = resolveApiEndpoint(authEndpoints.authorize, apiOrigin);
-  const authorizeUrl = new URL(authorizeEndpoint, window.location.origin);
-  authorizeUrl.searchParams.set("return_to", returnTo);
-  if (application?.trim()) {
-    authorizeUrl.searchParams.set("app", application.trim());
-  }
-  return authorizeUrl.toString();
-}
-function createExtensionAuthClient(options) {
-  const baseClient = createAuthClient({
-    apiOrigin: options.apiOrigin,
-    application: options.application
-  });
   const loginWithWebAuthFlow = async (loginOptions) => {
-    const returnTo = resolveReturnToPath(loginOptions?.returnTo);
+    if (!options.launchWebAuthFlow) {
+      throw new Error("Extension auth client requires launchWebAuthFlow for web auth flow.");
+    }
+    const returnTo = resolveExtensionReturnToPath(
+      loginOptions?.returnTo,
+      options.defaultReturnToPath
+    );
     const authorizeUrl = buildAuthorizeUrl(
       options.apiOrigin,
       returnTo,
@@ -486,17 +532,145 @@ function createExtensionAuthClient(options) {
     await options.launchWebAuthFlow({
       authorizeUrl
     });
-    await baseClient.refresh();
+    await refresh();
   };
   return {
-    ...baseClient,
+    init,
+    getSession,
     login(loginOptions) {
+      if (options.openAuthorizePage) {
+        void loginWithTabFlow(loginOptions);
+        return;
+      }
       void loginWithWebAuthFlow(loginOptions);
     },
+    logout,
+    refresh,
+    requireSession,
+    subscribe(listener) {
+      return sessionStore.subscribe(listener);
+    },
+    getAccessToken,
+    loginWithTabFlow,
     loginWithWebAuthFlow
   };
 }
 
-export { createExtensionAuthClient };
+// src/adapters/extension/chrome-auth-client.ts
+function hasChromeExtensionRuntime() {
+  const chrome = getChromeRuntime();
+  return Boolean(chrome.cookies && chrome.storage?.local && chrome.tabs);
+}
+var defaultSessionCookieName = "gs_auth_session";
+var defaultAccessTokenStorageKey = "authToken";
+var defaultTokenExpiresAtStorageKey = "authTokenExpiresAt";
+var defaultSessionStorageKey = "authSession";
+var defaultExtensionReturnToPath = "/oauth/complete";
+function getChromeRuntime() {
+  return globalThis.chrome ?? {};
+}
+function createChromeExtensionAuthClient(options) {
+  const sessionCookieName = options.sessionCookieName?.trim() || defaultSessionCookieName;
+  const accessTokenStorageKey = options.accessTokenStorageKey?.trim() || defaultAccessTokenStorageKey;
+  const tokenExpiresAtStorageKey = options.tokenExpiresAtStorageKey?.trim() || defaultTokenExpiresAtStorageKey;
+  const sessionStorageKey = options.sessionStorageKey?.trim() || defaultSessionStorageKey;
+  const resolveSessionId = async () => {
+    const cookies = getChromeRuntime().cookies;
+    if (!cookies) {
+      return null;
+    }
+    const cookie = await cookies.get({
+      name: sessionCookieName,
+      url: `${options.apiOrigin}/`
+    });
+    return cookie?.value?.trim() || null;
+  };
+  const clearSessionId = async () => {
+    const cookies = getChromeRuntime().cookies;
+    if (!cookies) {
+      return;
+    }
+    await cookies.remove({
+      name: sessionCookieName,
+      url: `${options.apiOrigin}/`
+    });
+  };
+  const persistAccessToken = async (token) => {
+    const storage = getChromeRuntime().storage?.local;
+    if (!storage) {
+      return;
+    }
+    if (!token) {
+      await storage.remove([accessTokenStorageKey, tokenExpiresAtStorageKey, sessionStorageKey]);
+      return;
+    }
+    await storage.set({
+      [accessTokenStorageKey]: token.accessToken,
+      [tokenExpiresAtStorageKey]: token.expiresAt || null,
+      [sessionStorageKey]: token.session || null
+    });
+  };
+  const restoreAccessToken = async () => {
+    const storage = getChromeRuntime().storage?.local;
+    if (!storage) {
+      return null;
+    }
+    const stored = await storage.get([
+      accessTokenStorageKey,
+      tokenExpiresAtStorageKey,
+      sessionStorageKey
+    ]);
+    const rawAccessToken = stored[accessTokenStorageKey];
+    if (typeof rawAccessToken !== "string" || rawAccessToken.trim() === "") {
+      return null;
+    }
+    return {
+      accessToken: rawAccessToken,
+      application: options.application?.trim() || "",
+      expiresAt: typeof stored[tokenExpiresAtStorageKey] === "string" ? stored[tokenExpiresAtStorageKey] : null,
+      session: stored[sessionStorageKey] ?? null,
+      tokenType: "Bearer"
+    };
+  };
+  const openAuthorizePage = async ({ authorizeUrl }) => {
+    const tabs = getChromeRuntime().tabs;
+    if (!tabs) {
+      throw new Error("Chrome tabs API is unavailable.");
+    }
+    await tabs.create({ active: true, url: authorizeUrl });
+  };
+  return createCustomExtensionAuthClient({
+    ...options,
+    defaultReturnToPath: options.defaultReturnToPath?.trim() || defaultExtensionReturnToPath,
+    clearSessionId,
+    openAuthorizePage,
+    persistAccessToken,
+    resolveSessionId,
+    restoreAccessToken
+  });
+}
+
+// src/extension.ts
+function hasCustomExtensionHooks(options) {
+  return Boolean(
+    options.clearSessionId || options.launchWebAuthFlow || options.openAuthorizePage || options.persistAccessToken || options.resolveSessionId || options.restoreAccessToken
+  );
+}
+function createExtensionAuthClient(options) {
+  if (hasChromeExtensionRuntime()) {
+    return createChromeExtensionAuthClient(options);
+  }
+  if (hasCustomExtensionHooks(options)) {
+    return createCustomExtensionAuthClient(options);
+  }
+  throw new AuthSdkError({
+    code: authErrorCode.apiError,
+    details: null,
+    message: "No supported extension runtime detected. Chromium browsers are supported automatically. Safari requires a dedicated adapter or explicit custom hooks.",
+    status: null
+  });
+}
+
+export { createChromeExtensionAuthClient, createCustomExtensionAuthClient, createExtensionAuthClient };
 //# sourceMappingURL=extension.js.map
 //# sourceMappingURL=extension.js.map