@hanzo/iam 0.2.0 → 0.4.0

package/src/billing.ts

@@ -1,205 +1,19 @@
 /**
- * @hanzo/iam/billing — Billing client for Hanzo Commerce API.
+ * @hanzo/iam/billing — REMOVED
  *
- * Canonical billing lives in commerce.js/billing. This provides the same
- * client for convenience when @hanzo/iam is already installed.
- * Both talk to Commerce API — one way to do billing.
+ * Billing has moved to @hanzo/commerce (or commerce.js).
  *
- * @example
  * ```ts
- * // Preferred:
- * import { BillingClient } from 'commerce.js/billing'
- *
- * // Also works:
- * import { BillingClient } from '@hanzo/iam/billing'
+ * // Use this instead:
+ * import { Commerce } from '@hanzo/commerce'
+ * const commerce = new Commerce({ commerceUrl: '...' })
+ * await commerce.getBalance(userId)
  * ```
+ *
+ * @deprecated This module is no longer functional. Use @hanzo/commerce.
  */
 
-const DEFAULT_TIMEOUT_MS = 10_000;
-
-// ---------------------------------------------------------------------------
-// Config
-// ---------------------------------------------------------------------------
-
-export type CommerceConfig = {
-  /** Commerce API base URL (e.g. "https://commerce.hanzo.ai"). */
-  commerceUrl: string;
-  /** Optional IAM access token for authenticated requests. */
-  token?: string;
-};
-
-// ---------------------------------------------------------------------------
-// Types
-// ---------------------------------------------------------------------------
-
-export type Balance = {
-  balance: number;
-  holds: number;
-  available: number;
-};
-
-export type Transaction = {
-  id?: string;
-  type: "hold" | "hold-removed" | "transfer" | "deposit" | "withdraw";
-  currency: string;
-  amount: number;
-  tags?: string[];
-  expiresAt?: string;
-  metadata?: Record<string, unknown>;
-  createdAt?: string;
-};
-
-export type Subscription = {
-  id?: string;
-  planId?: string;
-  userId?: string;
-  status?: string;
-  billingType?: string;
-  periodStart?: string;
-  periodEnd?: string;
-  createdAt?: string;
-};
-
-export type Plan = {
-  slug?: string;
-  name?: string;
-  description?: string;
-  price?: number;
-  currency?: string;
-  interval?: string;
-  metadata?: Record<string, unknown>;
-};
-
-export type Payment = {
-  id?: string;
-  orderId?: string;
-  amount?: number;
-  currency?: string;
-  status?: string;
-  captured?: boolean;
-  createdAt?: string;
-};
-
-// ---------------------------------------------------------------------------
-// Client
-// ---------------------------------------------------------------------------
-
-export class BillingClient {
-  private readonly baseUrl: string;
-  private token: string | undefined;
-
-  constructor(config: CommerceConfig) {
-    this.baseUrl = config.commerceUrl.replace(/\/+$/, "");
-    this.token = config.token;
-  }
-
-  setToken(token: string) {
-    this.token = token;
-  }
-
-  private async request<T>(
-    path: string,
-    opts?: { method?: string; body?: unknown; token?: string; params?: Record<string, string> },
-  ): Promise<T> {
-    const url = new URL(path, this.baseUrl);
-    if (opts?.params) {
-      for (const [k, v] of Object.entries(opts.params)) url.searchParams.set(k, v);
-    }
-
-    const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), DEFAULT_TIMEOUT_MS);
-
-    const headers: Record<string, string> = { Accept: "application/json" };
-    const authToken = opts?.token ?? this.token;
-    if (authToken) headers.Authorization = `Bearer ${authToken}`;
-    if (opts?.body) headers["Content-Type"] = "application/json";
-
-    try {
-      const res = await fetch(url.toString(), {
-        method: opts?.method ?? "GET",
-        headers,
-        body: opts?.body ? JSON.stringify(opts.body) : undefined,
-        signal: controller.signal,
-      });
-      if (!res.ok) {
-        const text = await res.text().catch(() => "");
-        throw new CommerceApiError(res.status, `${res.statusText}: ${text}`.trim());
-      }
-      return (await res.json()) as T;
-    } finally {
-      clearTimeout(timer);
-    }
-  }
-
-  async getBalance(user: string, currency = "usd", token?: string): Promise<Balance> {
-    return this.request("/api/v1/billing/balance", { params: { user, currency }, token });
-  }
-
-  async getAllBalances(user: string, token?: string): Promise<Record<string, Balance>> {
-    return this.request("/api/v1/billing/balance/all", { params: { user }, token });
-  }
-
-  async addUsageRecord(record: { user: string; currency?: string; amount: number; model?: string; provider?: string; tokens?: number }, token?: string): Promise<Transaction> {
-    return this.request("/api/v1/billing/usage", { method: "POST", body: record, token });
-  }
-
-  async getUsageRecords(user: string, currency = "usd", token?: string): Promise<Transaction[]> {
-    return this.request("/api/v1/billing/usage", { params: { user, currency }, token });
-  }
-
-  async addDeposit(params: { user: string; currency?: string; amount: number; notes?: string; tags?: string[]; expiresIn?: string }, token?: string): Promise<Transaction> {
-    return this.request("/api/v1/billing/deposit", { method: "POST", body: params, token });
-  }
-
-  async grantStarterCredit(user: string, token?: string): Promise<Transaction> {
-    return this.request("/api/v1/billing/credit", { method: "POST", body: { user }, token });
-  }
-
-  async subscribe(params: { planId: string; userId: string }, token?: string): Promise<Subscription> {
-    return this.request("/api/v1/subscribe", { method: "POST", body: params, token });
-  }
-
-  async getSubscription(id: string, token?: string): Promise<Subscription | null> {
-    try { return await this.request(`/api/v1/subscribe/${id}`, { token }); } catch { return null; }
-  }
-
-  async cancelSubscription(id: string, token?: string): Promise<void> {
-    await this.request(`/api/v1/subscribe/${id}`, { method: "DELETE", token });
-  }
-
-  async getPlans(token?: string): Promise<Plan[]> {
-    return this.request("/api/v1/plan", { token });
-  }
-
-  async getPlan(id: string, token?: string): Promise<Plan | null> {
-    try { return await this.request(`/api/v1/plan/${id}`, { token }); } catch { return null; }
-  }
-
-  async authorize(orderId: string, token?: string): Promise<Payment> {
-    return this.request(`/api/v1/authorize/${orderId}`, { method: "POST", token });
-  }
-
-  async capture(orderId: string, token?: string): Promise<Payment> {
-    return this.request(`/api/v1/capture/${orderId}`, { method: "POST", token });
-  }
-
-  async charge(orderId: string, token?: string): Promise<Payment> {
-    return this.request(`/api/v1/charge/${orderId}`, { method: "POST", token });
-  }
-
-  async refund(paymentId: string, token?: string): Promise<Payment> {
-    return this.request(`/api/v1/refund/${paymentId}`, { method: "POST", token });
-  }
-}
-
-export class CommerceApiError extends Error {
-  readonly status: number;
-  constructor(status: number, message: string) {
-    super(message);
-    this.name = "CommerceApiError";
-    this.status = status;
-  }
-}
-
-// Backwards-compatible alias
-export { BillingClient as IamBillingClient };
+throw new Error(
+  '@hanzo/iam/billing has been removed. Use @hanzo/commerce or commerce.js instead. ' +
+  'See: https://docs.hanzo.ai/services/commerce/sdk'
+)

package/src/browser.ts

@@ -33,6 +33,14 @@ export type BrowserIamConfig = IamConfig & {
   scope?: string;
   /** Storage to use for tokens (default: sessionStorage). */
   storage?: Storage;
+  /**
+   * Proxy base URL for token exchange and userinfo requests.
+   * When set, token exchange POSTs go to `${proxyBaseUrl}/auth/token`
+   * and userinfo GETs go to `${proxyBaseUrl}/auth/userinfo` instead of
+   * directly to the IAM server. This avoids CORS issues when the IAM
+   * server doesn't send Access-Control-Allow-Origin headers.
+   */
+  proxyBaseUrl?: string;
 };
 
 export class BrowserIamSdk {
@@ -53,13 +61,32 @@ export class BrowserIamSdk {
     if (this.discoveryCache) return this.discoveryCache;
 
     const baseUrl = this.config.serverUrl.replace(/\/+$/, "");
-    const res = await fetch(`${baseUrl}/.well-known/openid-configuration`, {
-      headers: { Accept: "application/json" },
-    });
-    if (!res.ok) {
-      throw new Error(`OIDC discovery failed: ${res.status}`);
+
+    // Try fetching the OIDC discovery document. If it fails (e.g. due to
+    // CORS when the IAM server doesn't send Access-Control-Allow-Origin),
+    // construct a fallback from well-known Casdoor/Hanzo IAM endpoint paths.
+    try {
+      const res = await fetch(`${baseUrl}/.well-known/openid-configuration`, {
+        headers: { Accept: "application/json" },
+      });
+      if (res.ok) {
+        this.discoveryCache = (await res.json()) as OidcDiscovery;
+        return this.discoveryCache;
+      }
+    } catch {
+      // CORS or network error — fall through to constructed discovery
     }
-    this.discoveryCache = (await res.json()) as OidcDiscovery;
+
+    this.discoveryCache = {
+      issuer: baseUrl,
+      authorization_endpoint: `${baseUrl}/login/oauth/authorize`,
+      token_endpoint: `${baseUrl}/api/login/oauth/access_token`,
+      userinfo_endpoint: `${baseUrl}/api/userinfo`,
+      jwks_uri: `${baseUrl}/.well-known/jwks`,
+      response_types_supported: ["code", "token", "id_token"],
+      grant_types_supported: ["authorization_code", "implicit", "refresh_token"],
+      scopes_supported: ["openid", "email", "profile"],
+    };
     return this.discoveryCache;
   }
 
@@ -112,8 +139,6 @@ export class BrowserIamSdk {
    */
   async handleCallback(callbackUrl?: string): Promise<TokenResponse> {
     const url = new URL(callbackUrl ?? window.location.href);
-    const code = url.searchParams.get("code");
-    const state = url.searchParams.get("state");
     const error = url.searchParams.get("error");
 
     if (error) {
@@ -121,15 +146,34 @@ export class BrowserIamSdk {
       throw new Error(`OAuth error: ${desc}`);
     }
 
-    if (!code) {
-      throw new Error("Missing authorization code in callback URL");
-    }
-
+    const state = url.searchParams.get("state");
     const savedState = this.storage.getItem(KEY_STATE);
-    if (!savedState || savedState !== state) {
+    if (savedState && state !== savedState) {
       throw new Error("OAuth state mismatch — possible CSRF attack");
     }
 
+    // Implicit flow: access_token returned directly in URL
+    const accessToken = url.searchParams.get("access_token");
+    if (accessToken) {
+      this.storage.removeItem(KEY_STATE);
+      this.storage.removeItem(KEY_CODE_VERIFIER);
+
+      const tokens: TokenResponse = {
+        access_token: accessToken,
+        token_type: "Bearer",
+        refresh_token: url.searchParams.get("refresh_token") ?? undefined,
+        expires_in: 7200,
+      };
+      this.storeTokens(tokens);
+      return tokens;
+    }
+
+    // Authorization code flow: exchange code for tokens via PKCE
+    const code = url.searchParams.get("code");
+    if (!code) {
+      throw new Error("Missing authorization code in callback URL");
+    }
+
     const codeVerifier = this.storage.getItem(KEY_CODE_VERIFIER);
     if (!codeVerifier) {
       throw new Error("Missing PKCE code verifier — was signinRedirect() called?");
@@ -148,7 +192,12 @@ export class BrowserIamSdk {
       code_verifier: codeVerifier,
     });
 
-    const res = await fetch(discovery.token_endpoint, {
+    // Use proxy URL when configured to avoid CORS on the token endpoint.
+    const tokenUrl = this.config.proxyBaseUrl
+      ? `${this.config.proxyBaseUrl.replace(/\/+$/, "")}/auth/token`
+      : discovery.token_endpoint;
+
+    const res = await fetch(tokenUrl, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
       body: body.toString(),
@@ -182,7 +231,11 @@ export class BrowserIamSdk {
       refresh_token: refreshToken,
     });
 
-    const res = await fetch(discovery.token_endpoint, {
+    const tokenUrl = this.config.proxyBaseUrl
+      ? `${this.config.proxyBaseUrl.replace(/\/+$/, "")}/auth/token`
+      : discovery.token_endpoint;
+
+    const res = await fetch(tokenUrl, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
       body: body.toString(),
@@ -417,7 +470,10 @@ export class BrowserIamSdk {
       throw new Error("No valid access token — user must log in");
     }
     const discovery = await this.getDiscovery();
-    const res = await fetch(discovery.userinfo_endpoint, {
+    const userinfoUrl = this.config.proxyBaseUrl
+      ? `${this.config.proxyBaseUrl.replace(/\/+$/, "")}/auth/userinfo`
+      : discovery.userinfo_endpoint;
+    const res = await fetch(userinfoUrl, {
       headers: { Authorization: `Bearer ${token}` },
     });
     if (!res.ok) {

package/src/index.ts

@@ -22,9 +22,8 @@
 // Core client (auth, users, orgs, projects → IAM)
 export { IamClient, IamApiError } from "./client.js";
 
-// Billing client (subscriptions, plans, payments, usage → Commerce API)
-// Canonical source: commerce.js/billing. Re-exported here for convenience.
-export { BillingClient, IamBillingClient, CommerceApiError } from "./billing.js";
+// Billing has moved to @hanzo/commerce. Import Commerce from "@hanzo/commerce" instead.
+// See: https://docs.hanzo.ai/services/commerce/sdk
 
 // JWT validation
 export { validateToken, clearJwksCache } from "./auth.js";

package/src/passport.ts

@@ -0,0 +1,97 @@
+/**
+ * Passport.js OAuth2 strategy factory for Hanzo IAM.
+ *
+ * Creates a pre-configured passport-oauth2 strategy that authenticates
+ * against hanzo.id with PKCE and fetches user info on callback.
+ *
+ * @example
+ * ```ts
+ * import passport from "passport";
+ * import { createIamPassportStrategy } from "@hanzo/iam/passport";
+ *
+ * passport.use("iam", createIamPassportStrategy({
+ *   serverUrl: "https://hanzo.id",
+ *   clientId: "hanzo-kms-client-id",
+ *   clientSecret: process.env.IAM_CLIENT_SECRET!,
+ *   callbackUrl: "https://kms.hanzo.ai/api/v1/sso/oidc/callback",
+ * }));
+ * ```
+ *
+ * @packageDocumentation
+ */
+
+import type { IamConfig } from "./types.js";
+
+export interface IamPassportConfig extends IamConfig {
+  /** Full callback URL for OAuth2 redirect. */
+  callbackUrl: string;
+  /** OAuth2 scopes. Default: "openid profile email". */
+  scope?: string;
+}
+
+export interface IamPassportUser {
+  accessToken: string;
+  refreshToken?: string;
+  userinfo: Record<string, unknown>;
+}
+
+/**
+ * Create a Passport OAuth2 strategy for Hanzo IAM.
+ *
+ * Requires `passport-oauth2` as a peer dependency.
+ * Returns an OAuth2Strategy instance ready to pass to `passport.use()`.
+ *
+ * The verify callback fetches userinfo from the IAM server and passes
+ * `{ accessToken, refreshToken, userinfo }` as the user object.
+ */
+export function createIamPassportStrategy(
+  config: IamPassportConfig,
+): unknown {
+  // Dynamic import to keep passport-oauth2 as optional peer dep.
+  // eslint-disable-next-line @typescript-eslint/no-require-imports
+  const { Strategy: OAuth2Strategy } = require("passport-oauth2") as {
+    Strategy: new (
+      options: Record<string, unknown>,
+      verify: (...args: unknown[]) => void,
+    ) => unknown;
+  };
+
+  const baseUrl = config.serverUrl.replace(/\/+$/, "");
+
+  const verify = async (
+    ...args: unknown[]
+  ): Promise<void> => {
+    // passReqToCallback=true: (req, accessToken, refreshToken, profile, done)
+    const accessToken = args[1] as string;
+    const refreshToken = args[2] as string | undefined;
+    const done = args[4] as (err: Error | null, user?: IamPassportUser) => void;
+
+    try {
+      const res = await fetch(`${baseUrl}/api/userinfo`, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+      });
+      if (!res.ok) {
+        return done(new Error(`IAM userinfo failed: ${res.status}`));
+      }
+      const userinfo = (await res.json()) as Record<string, unknown>;
+      done(null, { accessToken, refreshToken, userinfo });
+    } catch (err) {
+      done(err instanceof Error ? err : new Error(String(err)));
+    }
+  };
+
+  return new OAuth2Strategy(
+    {
+      authorizationURL: `${baseUrl}/login/oauth/authorize`,
+      tokenURL: `${baseUrl}/api/login/oauth/access_token`,
+      clientID: config.clientId,
+      clientSecret: config.clientSecret ?? "",
+      callbackURL: config.callbackUrl,
+      scope: config.scope ?? "openid profile email",
+      state: true,
+      pkce: true,
+      passReqToCallback: true,
+    },
+    verify,
+  );
+}

package/src/react.ts

@@ -591,3 +591,129 @@ export function useIamToken(): {
 
 // Re-export context for advanced use
 export { IamContext };
+
+// ---------------------------------------------------------------------------
+// OrgProjectSwitcher component
+// ---------------------------------------------------------------------------
+
+export interface OrgProjectSwitcherProps {
+  organizations: Array<{ name: string; displayName?: string; owner?: string }>;
+  currentOrgId: string | null;
+  switchOrg: (orgId: string) => void;
+  projects?: Array<{ name: string; displayName?: string; organization?: string; isDefault?: boolean }>;
+  currentProjectId?: string | null;
+  switchProject?: (projectId: string | null) => void;
+  onTenantChange?: (orgId: string | null, projectId: string | null) => void;
+  environment?: string | null;
+  className?: string;
+  alwaysShow?: boolean;
+}
+
+/**
+ * Organization and project switcher component.
+ *
+ * @example
+ * ```tsx
+ * import { useOrganizations, OrgProjectSwitcher } from '@hanzo/iam/react'
+ *
+ * function Nav() {
+ *   const orgState = useOrganizations()
+ *   return <OrgProjectSwitcher {...orgState} />
+ * }
+ * ```
+ */
+export function OrgProjectSwitcher({
+  organizations,
+  currentOrgId,
+  switchOrg,
+  projects = [],
+  currentProjectId = null,
+  switchProject,
+  onTenantChange,
+  environment,
+  className = "",
+  alwaysShow = false,
+}: OrgProjectSwitcherProps) {
+  useEffect(() => {
+    onTenantChange?.(currentOrgId, currentProjectId ?? null);
+  }, [currentOrgId, currentProjectId, onTenantChange]);
+
+  const handleOrgChange = useCallback(
+    (e: { target: { value: string } }) => switchOrg(e.target.value),
+    [switchOrg],
+  );
+
+  const handleProjectChange = useCallback(
+    (e: { target: { value: string } }) => switchProject?.(e.target.value || null),
+    [switchProject],
+  );
+
+  if (!alwaysShow && organizations.length <= 1 && projects.length <= 1) {
+    if (organizations.length === 1) {
+      const org = organizations[0];
+      return createElement(
+        "div",
+        { className: `flex items-center gap-2 text-sm ${className}` },
+        createElement("span", { className: "font-medium" }, org.displayName || org.name),
+        projects.length === 1
+          ? [
+              createElement("span", { className: "text-muted-foreground", key: "sep" }, "/"),
+              createElement("span", { key: "proj" }, projects[0].displayName || projects[0].name),
+            ]
+          : null,
+        environment
+          ? createElement(
+              "span",
+              { className: "rounded-full bg-muted px-2 py-0.5 text-xs text-muted-foreground" },
+              environment,
+            )
+          : null,
+      );
+    }
+    return null;
+  }
+
+  return createElement(
+    "div",
+    { className: `flex items-center gap-2 ${className}` },
+    createElement(
+      "select",
+      {
+        value: currentOrgId ?? "",
+        onChange: handleOrgChange,
+        className:
+          "h-8 rounded-md border border-border bg-background px-2 text-sm text-foreground focus:outline-none focus:ring-1 focus:ring-ring",
+        "aria-label": "Switch organization",
+      },
+      ...organizations.map((org) =>
+        createElement("option", { key: org.name, value: org.name }, org.displayName || org.name),
+      ),
+    ),
+    projects.length > 0 && switchProject
+      ? [
+          createElement("span", { className: "text-muted-foreground", key: "sep" }, "/"),
+          createElement(
+            "select",
+            {
+              key: "proj-select",
+              value: currentProjectId ?? "",
+              onChange: handleProjectChange,
+              className:
+                "h-8 rounded-md border border-border bg-background px-2 text-sm text-foreground focus:outline-none focus:ring-1 focus:ring-ring",
+              "aria-label": "Switch project",
+            },
+            ...projects.map((proj) =>
+              createElement("option", { key: proj.name, value: proj.name }, proj.displayName || proj.name),
+            ),
+          ),
+        ]
+      : null,
+    environment
+      ? createElement(
+          "span",
+          { className: "rounded-full bg-muted px-2 py-0.5 text-xs text-muted-foreground" },
+          environment,
+        )
+      : null,
+  );
+}