@hanzo/iam 0.6.1 → 0.6.2

package/src/client.ts

@@ -1,5 +1,5 @@
 /**
- * Core HTTP client for Hanzo IAM (Casdoor) API.
+ * Core HTTP client for Hanzo IAM API.
  */
 
 import type {
@@ -7,7 +7,6 @@ import type {
   IamApiResponse,
   IamUser,
   IamOrganization,
-  IamInvitation,
   IamProject,
   OidcDiscovery,
   TokenResponse,
@@ -184,6 +183,46 @@ export class IamClient {
     }
   }
 
+  /**
+   * Resource Owner Password Credentials grant.
+   * Used for service-to-service auth, CLI login, and e2e tests.
+   */
+  async passwordGrant(params: {
+    username: string;
+    password: string;
+    scope?: string;
+  }): Promise<TokenResponse> {
+    const discovery = await this.getDiscovery();
+    const body = new URLSearchParams({
+      grant_type: "password",
+      client_id: this.clientId,
+      username: params.username,
+      password: params.password,
+      scope: params.scope ?? "openid profile email phone",
+    });
+    if (this.clientSecret) {
+      body.set("client_secret", this.clientSecret);
+    }
+
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), DEFAULT_TIMEOUT_MS);
+    try {
+      const res = await fetch(discovery.token_endpoint, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: body.toString(),
+        signal: controller.signal,
+      });
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new IamApiError(res.status, `Password grant failed: ${text}`);
+      }
+      return (await res.json()) as TokenResponse;
+    } finally {
+      clearTimeout(timer);
+    }
+  }
+
   /** Refresh an access token. */
   async refreshToken(refreshToken: string): Promise<TokenResponse> {
     const discovery = await this.getDiscovery();
@@ -253,76 +292,12 @@ export class IamClient {
 
   /** List organizations (for the configured owner). */
   async getOrganizations(token?: string): Promise<IamOrganization[]> {
-    // Build the user's org list from JWT claims.
-    // The user's "owner" field is the signup org (used for auth only).
-    // Their personal org (name == username) is their actual workspace.
-    // Additional orgs come from invitations (future: membership table).
-    const orgs: IamOrganization[] = [];
-    const orgNames = new Set<string>();
-
-    let signupOrg = "";
-
-    if (token) {
-      try {
-        let b64 = token.split(".")[1].replace(/-/g, "+").replace(/_/g, "/");
-        while (b64.length % 4) b64 += "=";
-        const payload = JSON.parse(atob(b64));
-        const userOwner = payload.owner as string;
-        const userName = payload.name as string;
-
-        signupOrg = userOwner;
-        const isAdmin = !!payload.isAdmin;
-
-        // Personal org (name == username) is the user's primary workspace.
-        if (userName && userName !== userOwner) {
-          orgs.push({
-            owner: "admin",
-            name: userName,
-            displayName: userName,
-          });
-          orgNames.add(userName);
-        }
-
-        // Admin users also see their signup org (they manage it).
-        // Non-admin users only see their personal org.
-        if (isAdmin && userOwner && !orgNames.has(userOwner)) {
-          orgs.push({ owner: "admin", name: userOwner, displayName: userOwner });
-          orgNames.add(userOwner);
-        }
-
-        // If no personal org (username == owner), show the signup org as workspace
-        if (!orgNames.size && userOwner) {
-          orgs.push({ owner: "admin", name: userOwner, displayName: userOwner });
-          orgNames.add(userOwner);
-        }
-      } catch {
-        // JWT parse failed
-      }
-    }
-
-    // Try the API to get additional orgs the user was invited to.
-    // Exclude the signup org (it's just for auth, not a workspace).
     const owner = this.orgName ?? "admin";
-    try {
-      const resp = await this.request<IamApiResponse<IamOrganization[]>>(
-        "/api/get-organizations",
-        { params: { owner }, token },
-      );
-      if (resp.data) {
-        for (const org of resp.data) {
-          // Skip the signup org — it's not a user workspace
-          if (org.name === signupOrg && orgNames.size > 0) continue;
-          if (!orgNames.has(org.name)) {
-            orgs.push(org);
-            orgNames.add(org.name);
-          }
-        }
-      }
-    } catch {
-      // API failed — JWT-derived orgs are sufficient
-    }
-
-    return orgs;
+    const resp = await this.request<IamApiResponse<IamOrganization[]>>(
+      "/api/get-organizations",
+      { params: { owner }, token },
+    );
+    return resp.data ?? [];
   }
 
   /** Get a specific organization. */
@@ -342,7 +317,7 @@ export class IamClient {
     userId: string,
     token?: string,
   ): Promise<IamOrganization[]> {
-    // Casdoor returns orgs the user is a member of via the user's properties.
+    // IAM returns orgs the user is a member of via the user's properties.
     // We can also query via get-user and read their signupApplication/org.
     const user = await this.getUser(userId, token);
     if (!user) return [];
@@ -354,88 +329,6 @@ export class IamClient {
     return org ? [org] : [];
   }
 
-  /** Create a new organization. */
-  async createOrganization(
-    org: Partial<IamOrganization>,
-    token?: string,
-  ): Promise<IamApiResponse<IamOrganization>> {
-    return this.request<IamApiResponse<IamOrganization>>(
-      "/api/add-organization",
-      { method: "POST", body: org, token },
-    );
-  }
-
-  /** Update an existing organization. */
-  async updateOrganization(
-    org: Partial<IamOrganization>,
-    token?: string,
-  ): Promise<IamApiResponse<IamOrganization>> {
-    return this.request<IamApiResponse<IamOrganization>>(
-      "/api/update-organization",
-      { method: "POST", body: org, token },
-    );
-  }
-
-  /** Delete an organization by owner and name. */
-  async deleteOrganization(
-    org: { owner: string; name: string },
-    token?: string,
-  ): Promise<IamApiResponse<IamOrganization>> {
-    return this.request<IamApiResponse<IamOrganization>>(
-      "/api/delete-organization",
-      { method: "POST", body: org, token },
-    );
-  }
-
-  // -----------------------------------------------------------------------
-  // Invitation
-  // -----------------------------------------------------------------------
-
-  /** List invitations for an owner (organization). */
-  async getInvitations(
-    owner: string,
-    token?: string,
-  ): Promise<IamInvitation[]> {
-    const resp = await this.request<IamApiResponse<IamInvitation[]>>(
-      "/api/get-invitations",
-      { params: { owner }, token },
-    );
-    return resp.data ?? [];
-  }
-
-  /** Create a new invitation. */
-  async createInvitation(
-    invitation: Partial<IamInvitation>,
-    token?: string,
-  ): Promise<IamApiResponse<IamInvitation>> {
-    return this.request<IamApiResponse<IamInvitation>>(
-      "/api/add-invitation",
-      { method: "POST", body: invitation, token },
-    );
-  }
-
-  /** Send an invitation by owner and name. */
-  async sendInvitation(
-    invitation: { owner: string; name: string },
-    token?: string,
-  ): Promise<IamApiResponse<IamInvitation>> {
-    return this.request<IamApiResponse<IamInvitation>>(
-      "/api/send-invitation",
-      { method: "POST", body: invitation, token },
-    );
-  }
-
-  /** Verify an invitation code. */
-  async verifyInvitation(
-    code: string,
-    token?: string,
-  ): Promise<IamApiResponse<IamInvitation>> {
-    return this.request<IamApiResponse<IamInvitation>>(
-      "/api/verify-invitation",
-      { params: { code }, token },
-    );
-  }
-
   // -----------------------------------------------------------------------
   // Project
   // -----------------------------------------------------------------------

package/src/index.ts

@@ -14,7 +14,7 @@
  * });
  *
  * const billing = new BillingClient({
- *   commerceUrl: "https://commerce-api.hanzo.ai/api",
+ *   commerceUrl: "https://commerce.hanzo.ai",
  * });
  * ```
  */
@@ -43,7 +43,6 @@ export type {
   IamJwtClaims,
   IamUser,
   IamOrganization,
-  IamInvitation,
   IamProject,
   Subscription,
   Plan,

package/src/nextauth.ts

@@ -1,17 +1,17 @@
 /**
- * NextAuth.js provider for Hanzo IAM (OIDC-based).
+ * NextAuth.js / Auth.js provider for IAM (OIDC-based).
  *
- * Consolidates the HanzoIamProvider and IamProvider implementations
- * so all Next.js apps can share one canonical implementation.
+ * Provides a canonical NextAuth/Auth.js provider configuration
+ * so all Next.js apps can share one implementation.
  *
  * @example
  * ```ts
  * // next-auth config
- * import { HanzoIamProvider } from "@hanzo/iam/nextauth";
+ * import { IamProvider } from "@hanzo/iam/nextauth";
  *
  * export default NextAuth({
  *   providers: [
- *     HanzoIamProvider({
+ *     IamProvider({
  *       serverUrl: process.env.IAM_SERVER_URL!,
  *       clientId: process.env.IAM_CLIENT_ID!,
  *       clientSecret: process.env.IAM_CLIENT_SECRET!,
@@ -23,7 +23,7 @@
  * @packageDocumentation
  */
 
-interface HanzoIamProfile extends Record<string, unknown> {
+export interface IamProfile extends Record<string, unknown> {
   sub: string;
   name: string;
   email: string;
@@ -35,7 +35,7 @@ interface HanzoIamProfile extends Record<string, unknown> {
 }
 
 /**
- * NextAuth.js / Auth.js compatible OAuth provider for Hanzo IAM.
+ * NextAuth.js / Auth.js compatible OAuth provider for IAM.
  *
  * Uses standard OIDC well-known endpoint for automatic configuration.
  * JWT id_token validation (issuer, audience, signature) is handled by
@@ -43,7 +43,7 @@ interface HanzoIamProfile extends Record<string, unknown> {
  *
  * Pass `checks: ["state", "pkce"]` in options for PKCE alignment.
  */
-export function HanzoIamProvider<P extends HanzoIamProfile>(
+export function IamProvider<P extends IamProfile>(
   options: {
     serverUrl: string;
     clientId: string;
@@ -59,8 +59,8 @@ export function HanzoIamProvider<P extends HanzoIamProfile>(
   const checks = options.checks ?? ["state"];
 
   return {
-    id: "hanzo-iam",
-    name: "Hanzo IAM",
+    id: "iam",
+    name: "IAM",
     type: "oauth",
     wellKnown: `${issuer}/.well-known/openid-configuration`,
     idToken: true,
@@ -88,6 +88,8 @@ export function HanzoIamProvider<P extends HanzoIamProfile>(
   };
 }
 
-// Re-export with alias for backwards compat
-export { HanzoIamProvider as IamProvider };
-export type { HanzoIamProfile };
+// Backwards-compatible aliases
+/** @deprecated Use IamProvider instead */
+export { IamProvider as HanzoIamProvider };
+/** @deprecated Use IamProfile instead */
+export type { IamProfile as HanzoIamProfile };

package/src/passport.ts

@@ -0,0 +1,97 @@
+/**
+ * Passport.js OAuth2 strategy factory for Hanzo IAM.
+ *
+ * Creates a pre-configured passport-oauth2 strategy that authenticates
+ * against hanzo.id with PKCE and fetches user info on callback.
+ *
+ * @example
+ * ```ts
+ * import passport from "passport";
+ * import { createIamPassportStrategy } from "@hanzo/iam/passport";
+ *
+ * passport.use("iam", createIamPassportStrategy({
+ *   serverUrl: "https://hanzo.id",
+ *   clientId: "hanzo-kms-client-id",
+ *   clientSecret: process.env.IAM_CLIENT_SECRET!,
+ *   callbackUrl: "https://kms.hanzo.ai/api/v1/sso/oidc/callback",
+ * }));
+ * ```
+ *
+ * @packageDocumentation
+ */
+
+import type { IamConfig } from "./types.js";
+
+export interface IamPassportConfig extends IamConfig {
+  /** Full callback URL for OAuth2 redirect. */
+  callbackUrl: string;
+  /** OAuth2 scopes. Default: "openid profile email". */
+  scope?: string;
+}
+
+export interface IamPassportUser {
+  accessToken: string;
+  refreshToken?: string;
+  userinfo: Record<string, unknown>;
+}
+
+/**
+ * Create a Passport OAuth2 strategy for Hanzo IAM.
+ *
+ * Requires `passport-oauth2` as a peer dependency.
+ * Returns an OAuth2Strategy instance ready to pass to `passport.use()`.
+ *
+ * The verify callback fetches userinfo from the IAM server and passes
+ * `{ accessToken, refreshToken, userinfo }` as the user object.
+ */
+export function createIamPassportStrategy(
+  config: IamPassportConfig,
+): unknown {
+  // Dynamic import to keep passport-oauth2 as optional peer dep.
+  // eslint-disable-next-line @typescript-eslint/no-require-imports
+  const { Strategy: OAuth2Strategy } = require("passport-oauth2") as {
+    Strategy: new (
+      options: Record<string, unknown>,
+      verify: (...args: unknown[]) => void,
+    ) => unknown;
+  };
+
+  const baseUrl = config.serverUrl.replace(/\/+$/, "");
+
+  const verify = async (
+    ...args: unknown[]
+  ): Promise<void> => {
+    // passReqToCallback=true: (req, accessToken, refreshToken, profile, done)
+    const accessToken = args[1] as string;
+    const refreshToken = args[2] as string | undefined;
+    const done = args[4] as (err: Error | null, user?: IamPassportUser) => void;
+
+    try {
+      const res = await fetch(`${baseUrl}/oauth/userinfo`, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+      });
+      if (!res.ok) {
+        return done(new Error(`IAM userinfo failed: ${res.status}`));
+      }
+      const userinfo = (await res.json()) as Record<string, unknown>;
+      done(null, { accessToken, refreshToken, userinfo });
+    } catch (err) {
+      done(err instanceof Error ? err : new Error(String(err)));
+    }
+  };
+
+  return new OAuth2Strategy(
+    {
+      authorizationURL: `${baseUrl}/oauth/authorize`,
+      tokenURL: `${baseUrl}/oauth/token`,
+      clientID: config.clientId,
+      clientSecret: config.clientSecret ?? "",
+      callbackURL: config.callbackUrl,
+      scope: config.scope ?? "openid profile email",
+      state: true,
+      pkce: true,
+      passReqToCallback: true,
+    },
+    verify,
+  );
+}

package/src/pkce.ts

@@ -1,7 +1,7 @@
 /**
  * PKCE (Proof Key for Code Exchange) utilities for browser-side OAuth2 flows.
  *
- * Adapted from casdoor-js-sdk, modernized for native Web Crypto API.
+ * PKCE utilities for OAuth2 flows, using native Web Crypto API.
  */
 
 function generateRandomString(length: number): string {