npm - @hanzo/iam - Versions diffs - 0.3.0 → 0.4.1 - Mend

@hanzo/iam 0.3.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

package/src/billing.ts CHANGED Viewed

@@ -1,205 +1,19 @@
 /**
- * @hanzo/iam/billing — Billing client for Hanzo Commerce API.
+ * @hanzo/iam/billing — REMOVED
  *
- * Canonical billing lives in commerce.js/billing. This provides the same
- * client for convenience when @hanzo/iam is already installed.
- * Both talk to Commerce API — one way to do billing.
+ * Billing has moved to @hanzo/commerce (or commerce.js).
  *
- * @example
  * ```ts
- * // Preferred:
- * import { BillingClient } from 'commerce.js/billing'
- *
- * // Also works:
- * import { BillingClient } from '@hanzo/iam/billing'
+ * // Use this instead:
+ * import { Commerce } from '@hanzo/commerce'
+ * const commerce = new Commerce({ commerceUrl: '...' })
+ * await commerce.getBalance(userId)
  * ```
+ *
+ * @deprecated This module is no longer functional. Use @hanzo/commerce.
  */
-const DEFAULT_TIMEOUT_MS = 10_000;
-// ---------------------------------------------------------------------------
-// Config
-// ---------------------------------------------------------------------------
-export type CommerceConfig = {
-  /** Commerce API base URL (e.g. "https://commerce.hanzo.ai"). */
-  commerceUrl: string;
-  /** Optional IAM access token for authenticated requests. */
-  token?: string;
-};
-// ---------------------------------------------------------------------------
-// Types
-// ---------------------------------------------------------------------------
-export type Balance = {
-  balance: number;
-  holds: number;
-  available: number;
-};
-export type Transaction = {
-  id?: string;
-  type: "hold" | "hold-removed" | "transfer" | "deposit" | "withdraw";
-  currency: string;
-  amount: number;
-  tags?: string[];
-  expiresAt?: string;
-  metadata?: Record<string, unknown>;
-  createdAt?: string;
-};
-export type Subscription = {
-  id?: string;
-  planId?: string;
-  userId?: string;
-  status?: string;
-  billingType?: string;
-  periodStart?: string;
-  periodEnd?: string;
-  createdAt?: string;
-};
-export type Plan = {
-  slug?: string;
-  name?: string;
-  description?: string;
-  price?: number;
-  currency?: string;
-  interval?: string;
-  metadata?: Record<string, unknown>;
-};
-export type Payment = {
-  id?: string;
-  orderId?: string;
-  amount?: number;
-  currency?: string;
-  status?: string;
-  captured?: boolean;
-  createdAt?: string;
-};
-// ---------------------------------------------------------------------------
-// Client
-// ---------------------------------------------------------------------------
-export class BillingClient {
-  private readonly baseUrl: string;
-  private token: string | undefined;
-  constructor(config: CommerceConfig) {
-    this.baseUrl = config.commerceUrl.replace(/\/+$/, "");
-    this.token = config.token;
-  }
-  setToken(token: string) {
-    this.token = token;
-  }
-  private async request<T>(
-    path: string,
-    opts?: { method?: string; body?: unknown; token?: string; params?: Record<string, string> },
-  ): Promise<T> {
-    const url = new URL(path, this.baseUrl);
-    if (opts?.params) {
-      for (const [k, v] of Object.entries(opts.params)) url.searchParams.set(k, v);
-    }
-    const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), DEFAULT_TIMEOUT_MS);
-    const headers: Record<string, string> = { Accept: "application/json" };
-    const authToken = opts?.token ?? this.token;
-    if (authToken) headers.Authorization = `Bearer ${authToken}`;
-    if (opts?.body) headers["Content-Type"] = "application/json";
-    try {
-      const res = await fetch(url.toString(), {
-        method: opts?.method ?? "GET",
-        headers,
-        body: opts?.body ? JSON.stringify(opts.body) : undefined,
-        signal: controller.signal,
-      });
-      if (!res.ok) {
-        const text = await res.text().catch(() => "");
-        throw new CommerceApiError(res.status, `${res.statusText}: ${text}`.trim());
-      }
-      return (await res.json()) as T;
-    } finally {
-      clearTimeout(timer);
-    }
-  }
-  async getBalance(user: string, currency = "usd", token?: string): Promise<Balance> {
-    return this.request("/api/v1/billing/balance", { params: { user, currency }, token });
-  }
-  async getAllBalances(user: string, token?: string): Promise<Record<string, Balance>> {
-    return this.request("/api/v1/billing/balance/all", { params: { user }, token });
-  }
-  async addUsageRecord(record: { user: string; currency?: string; amount: number; model?: string; provider?: string; tokens?: number }, token?: string): Promise<Transaction> {
-    return this.request("/api/v1/billing/usage", { method: "POST", body: record, token });
-  }
-  async getUsageRecords(user: string, currency = "usd", token?: string): Promise<Transaction[]> {
-    return this.request("/api/v1/billing/usage", { params: { user, currency }, token });
-  }
-  async addDeposit(params: { user: string; currency?: string; amount: number; notes?: string; tags?: string[]; expiresIn?: string }, token?: string): Promise<Transaction> {
-    return this.request("/api/v1/billing/deposit", { method: "POST", body: params, token });
-  }
-  async grantStarterCredit(user: string, token?: string): Promise<Transaction> {
-    return this.request("/api/v1/billing/credit", { method: "POST", body: { user }, token });
-  }
-  async subscribe(params: { planId: string; userId: string }, token?: string): Promise<Subscription> {
-    return this.request("/api/v1/subscribe", { method: "POST", body: params, token });
-  }
-  async getSubscription(id: string, token?: string): Promise<Subscription | null> {
-    try { return await this.request(`/api/v1/subscribe/${id}`, { token }); } catch { return null; }
-  }
-  async cancelSubscription(id: string, token?: string): Promise<void> {
-    await this.request(`/api/v1/subscribe/${id}`, { method: "DELETE", token });
-  }
-  async getPlans(token?: string): Promise<Plan[]> {
-    return this.request("/api/v1/plan", { token });
-  }
-  async getPlan(id: string, token?: string): Promise<Plan | null> {
-    try { return await this.request(`/api/v1/plan/${id}`, { token }); } catch { return null; }
-  }
-  async authorize(orderId: string, token?: string): Promise<Payment> {
-    return this.request(`/api/v1/authorize/${orderId}`, { method: "POST", token });
-  }
-  async capture(orderId: string, token?: string): Promise<Payment> {
-    return this.request(`/api/v1/capture/${orderId}`, { method: "POST", token });
-  }
-  async charge(orderId: string, token?: string): Promise<Payment> {
-    return this.request(`/api/v1/charge/${orderId}`, { method: "POST", token });
-  }
-  async refund(paymentId: string, token?: string): Promise<Payment> {
-    return this.request(`/api/v1/refund/${paymentId}`, { method: "POST", token });
-  }
-}
-export class CommerceApiError extends Error {
-  readonly status: number;
-  constructor(status: number, message: string) {
-    super(message);
-    this.name = "CommerceApiError";
-    this.status = status;
-  }
-}
-// Backwards-compatible alias
-export { BillingClient as IamBillingClient };
+throw new Error(
+  '@hanzo/iam/billing has been removed. Use @hanzo/commerce or commerce.js instead. ' +
+  'See: https://docs.hanzo.ai/services/commerce/sdk'
+)

package/src/browser.ts CHANGED Viewed

@@ -33,6 +33,14 @@ export type BrowserIamConfig = IamConfig & {
   scope?: string;
   /** Storage to use for tokens (default: sessionStorage). */
   storage?: Storage;
+  /**
+   * Proxy base URL for token exchange and userinfo requests.
+   * When set, token exchange POSTs go to `${proxyBaseUrl}/auth/token`
+   * and userinfo GETs go to `${proxyBaseUrl}/auth/userinfo` instead of
+   * directly to the IAM server. This avoids CORS issues when the IAM
+   * server doesn't send Access-Control-Allow-Origin headers.
+   */
+  proxyBaseUrl?: string;
 };
 export class BrowserIamSdk {
@@ -53,13 +61,32 @@ export class BrowserIamSdk {
     if (this.discoveryCache) return this.discoveryCache;
     const baseUrl = this.config.serverUrl.replace(/\/+$/, "");
-    const res = await fetch(`${baseUrl}/.well-known/openid-configuration`, {
-      headers: { Accept: "application/json" },
-    });
-    if (!res.ok) {
-      throw new Error(`OIDC discovery failed: ${res.status}`);
+    // Try fetching the OIDC discovery document. If it fails (e.g. due to
+    // CORS when the IAM server doesn't send Access-Control-Allow-Origin),
+    // construct a fallback from well-known Casdoor/Hanzo IAM endpoint paths.
+    try {
+      const res = await fetch(`${baseUrl}/.well-known/openid-configuration`, {
+        headers: { Accept: "application/json" },
+      });
+      if (res.ok) {
+        this.discoveryCache = (await res.json()) as OidcDiscovery;
+        return this.discoveryCache;
+      }
+    } catch {
+      // CORS or network error — fall through to constructed discovery
     }
-    this.discoveryCache = (await res.json()) as OidcDiscovery;
+    this.discoveryCache = {
+      issuer: baseUrl,
+      authorization_endpoint: `${baseUrl}/login/oauth/authorize`,
+      token_endpoint: `${baseUrl}/api/login/oauth/access_token`,
+      userinfo_endpoint: `${baseUrl}/api/userinfo`,
+      jwks_uri: `${baseUrl}/.well-known/jwks`,
+      response_types_supported: ["code", "token", "id_token"],
+      grant_types_supported: ["authorization_code", "implicit", "refresh_token"],
+      scopes_supported: ["openid", "email", "profile"],
+    };
     return this.discoveryCache;
   }
@@ -112,8 +139,6 @@ export class BrowserIamSdk {
    */
   async handleCallback(callbackUrl?: string): Promise<TokenResponse> {
     const url = new URL(callbackUrl ?? window.location.href);
-    const code = url.searchParams.get("code");
-    const state = url.searchParams.get("state");
     const error = url.searchParams.get("error");
     if (error) {
@@ -121,15 +146,34 @@ export class BrowserIamSdk {
       throw new Error(`OAuth error: ${desc}`);
     }
-    if (!code) {
-      throw new Error("Missing authorization code in callback URL");
-    }
+    const state = url.searchParams.get("state");
     const savedState = this.storage.getItem(KEY_STATE);
-    if (!savedState || savedState !== state) {
+    if (savedState && state !== savedState) {
       throw new Error("OAuth state mismatch — possible CSRF attack");
     }
+    // Implicit flow: access_token returned directly in URL
+    const accessToken = url.searchParams.get("access_token");
+    if (accessToken) {
+      this.storage.removeItem(KEY_STATE);
+      this.storage.removeItem(KEY_CODE_VERIFIER);
+      const tokens: TokenResponse = {
+        access_token: accessToken,
+        token_type: "Bearer",
+        refresh_token: url.searchParams.get("refresh_token") ?? undefined,
+        expires_in: 7200,
+      };
+      this.storeTokens(tokens);
+      return tokens;
+    }
+    // Authorization code flow: exchange code for tokens via PKCE
+    const code = url.searchParams.get("code");
+    if (!code) {
+      throw new Error("Missing authorization code in callback URL");
+    }
     const codeVerifier = this.storage.getItem(KEY_CODE_VERIFIER);
     if (!codeVerifier) {
       throw new Error("Missing PKCE code verifier — was signinRedirect() called?");
@@ -148,7 +192,12 @@ export class BrowserIamSdk {
       code_verifier: codeVerifier,
     });
-    const res = await fetch(discovery.token_endpoint, {
+    // Use proxy URL when configured to avoid CORS on the token endpoint.
+    const tokenUrl = this.config.proxyBaseUrl
+      ? `${this.config.proxyBaseUrl.replace(/\/+$/, "")}/auth/token`
+      : discovery.token_endpoint;
+    const res = await fetch(tokenUrl, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
       body: body.toString(),
@@ -182,7 +231,11 @@ export class BrowserIamSdk {
       refresh_token: refreshToken,
     });
-    const res = await fetch(discovery.token_endpoint, {
+    const tokenUrl = this.config.proxyBaseUrl
+      ? `${this.config.proxyBaseUrl.replace(/\/+$/, "")}/auth/token`
+      : discovery.token_endpoint;
+    const res = await fetch(tokenUrl, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
       body: body.toString(),
@@ -417,7 +470,10 @@ export class BrowserIamSdk {
       throw new Error("No valid access token — user must log in");
     }
     const discovery = await this.getDiscovery();
-    const res = await fetch(discovery.userinfo_endpoint, {
+    const userinfoUrl = this.config.proxyBaseUrl
+      ? `${this.config.proxyBaseUrl.replace(/\/+$/, "")}/auth/userinfo`
+      : discovery.userinfo_endpoint;
+    const res = await fetch(userinfoUrl, {
       headers: { Authorization: `Bearer ${token}` },
     });
     if (!res.ok) {

package/src/index.ts CHANGED Viewed

@@ -22,9 +22,8 @@
 // Core client (auth, users, orgs, projects → IAM)
 export { IamClient, IamApiError } from "./client.js";
-// Billing client (subscriptions, plans, payments, usage → Commerce API)
-// Canonical source: commerce.js/billing. Re-exported here for convenience.
-export { BillingClient, IamBillingClient, CommerceApiError } from "./billing.js";
+// Billing has moved to @hanzo/commerce. Import Commerce from "@hanzo/commerce" instead.
+// See: https://docs.hanzo.ai/services/commerce/sdk
 // JWT validation
 export { validateToken, clearJwksCache } from "./auth.js";

package/src/nextauth.ts CHANGED Viewed

@@ -1,17 +1,17 @@
 /**
- * NextAuth.js provider for Hanzo IAM (OIDC-based).
+ * NextAuth.js / Auth.js provider for IAM (OIDC-based).
  *
- * Consolidates the HanzoIamProvider and IamProvider implementations
- * so all Next.js apps can share one canonical implementation.
+ * Provides a canonical NextAuth/Auth.js provider configuration
+ * so all Next.js apps can share one implementation.
  *
  * @example
  * ```ts
  * // next-auth config
- * import { HanzoIamProvider } from "@hanzo/iam/nextauth";
+ * import { IamProvider } from "@hanzo/iam/nextauth";
  *
  * export default NextAuth({
  *   providers: [
- *     HanzoIamProvider({
+ *     IamProvider({
  *       serverUrl: process.env.IAM_SERVER_URL!,
  *       clientId: process.env.IAM_CLIENT_ID!,
  *       clientSecret: process.env.IAM_CLIENT_SECRET!,
@@ -23,7 +23,7 @@
  * @packageDocumentation
  */
-interface HanzoIamProfile extends Record<string, unknown> {
+export interface IamProfile extends Record<string, unknown> {
   sub: string;
   name: string;
   email: string;
@@ -35,7 +35,7 @@ interface HanzoIamProfile extends Record<string, unknown> {
 }
 /**
- * NextAuth.js / Auth.js compatible OAuth provider for Hanzo IAM.
+ * NextAuth.js / Auth.js compatible OAuth provider for IAM.
  *
  * Uses standard OIDC well-known endpoint for automatic configuration.
  * JWT id_token validation (issuer, audience, signature) is handled by
@@ -43,7 +43,7 @@ interface HanzoIamProfile extends Record<string, unknown> {
  *
  * Pass `checks: ["state", "pkce"]` in options for PKCE alignment.
  */
-export function HanzoIamProvider<P extends HanzoIamProfile>(
+export function IamProvider<P extends IamProfile>(
   options: {
     serverUrl: string;
     clientId: string;
@@ -59,8 +59,8 @@ export function HanzoIamProvider<P extends HanzoIamProfile>(
   const checks = options.checks ?? ["state"];
   return {
-    id: "hanzo-iam",
-    name: "Hanzo IAM",
+    id: "iam",
+    name: "IAM",
     type: "oauth",
     wellKnown: `${issuer}/.well-known/openid-configuration`,
     idToken: true,
@@ -88,6 +88,8 @@ export function HanzoIamProvider<P extends HanzoIamProfile>(
   };
 }
-// Re-export with alias for backwards compat
-export { HanzoIamProvider as IamProvider };
-export type { HanzoIamProfile };
+// Backwards-compatible aliases
+/** @deprecated Use IamProvider instead */
+export { IamProvider as HanzoIamProvider };
+/** @deprecated Use IamProfile instead */
+export type { IamProfile as HanzoIamProfile };

package/src/passport.ts ADDED Viewed

@@ -0,0 +1,97 @@
+/**
+ * Passport.js OAuth2 strategy factory for Hanzo IAM.
+ *
+ * Creates a pre-configured passport-oauth2 strategy that authenticates
+ * against hanzo.id with PKCE and fetches user info on callback.
+ *
+ * @example
+ * ```ts
+ * import passport from "passport";
+ * import { createIamPassportStrategy } from "@hanzo/iam/passport";
+ *
+ * passport.use("iam", createIamPassportStrategy({
+ *   serverUrl: "https://hanzo.id",
+ *   clientId: "hanzo-kms-client-id",
+ *   clientSecret: process.env.IAM_CLIENT_SECRET!,
+ *   callbackUrl: "https://kms.hanzo.ai/api/v1/sso/oidc/callback",
+ * }));
+ * ```
+ *
+ * @packageDocumentation
+ */
+import type { IamConfig } from "./types.js";
+export interface IamPassportConfig extends IamConfig {
+  /** Full callback URL for OAuth2 redirect. */
+  callbackUrl: string;
+  /** OAuth2 scopes. Default: "openid profile email". */
+  scope?: string;
+}
+export interface IamPassportUser {
+  accessToken: string;
+  refreshToken?: string;
+  userinfo: Record<string, unknown>;
+}
+/**
+ * Create a Passport OAuth2 strategy for Hanzo IAM.
+ *
+ * Requires `passport-oauth2` as a peer dependency.
+ * Returns an OAuth2Strategy instance ready to pass to `passport.use()`.
+ *
+ * The verify callback fetches userinfo from the IAM server and passes
+ * `{ accessToken, refreshToken, userinfo }` as the user object.
+ */
+export function createIamPassportStrategy(
+  config: IamPassportConfig,
+): unknown {
+  // Dynamic import to keep passport-oauth2 as optional peer dep.
+  // eslint-disable-next-line @typescript-eslint/no-require-imports
+  const { Strategy: OAuth2Strategy } = require("passport-oauth2") as {
+    Strategy: new (
+      options: Record<string, unknown>,
+      verify: (...args: unknown[]) => void,
+    ) => unknown;
+  };
+  const baseUrl = config.serverUrl.replace(/\/+$/, "");
+  const verify = async (
+    ...args: unknown[]
+  ): Promise<void> => {
+    // passReqToCallback=true: (req, accessToken, refreshToken, profile, done)
+    const accessToken = args[1] as string;
+    const refreshToken = args[2] as string | undefined;
+    const done = args[4] as (err: Error | null, user?: IamPassportUser) => void;
+    try {
+      const res = await fetch(`${baseUrl}/api/userinfo`, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+      });
+      if (!res.ok) {
+        return done(new Error(`IAM userinfo failed: ${res.status}`));
+      }
+      const userinfo = (await res.json()) as Record<string, unknown>;
+      done(null, { accessToken, refreshToken, userinfo });
+    } catch (err) {
+      done(err instanceof Error ? err : new Error(String(err)));
+    }
+  };
+  return new OAuth2Strategy(
+    {
+      authorizationURL: `${baseUrl}/login/oauth/authorize`,
+      tokenURL: `${baseUrl}/api/login/oauth/access_token`,
+      clientID: config.clientId,
+      clientSecret: config.clientSecret ?? "",
+      callbackURL: config.callbackUrl,
+      scope: config.scope ?? "openid profile email",
+      state: true,
+      pkce: true,
+      passReqToCallback: true,
+    },
+    verify,
+  );
+}