@icure/cardinal-sdk 2.1.1 → 2.1.3

package/model/security/AuthenticationToken.mjs

@@ -1,8 +1,23 @@
 // auto-generated file
 import { expectNumber, expectString, extractEntry } from '../../internal/JsonDecodeUtils.mjs';
+/**
+ *
+ *  Represents an authentication token associated with a user, including its creation time and
+ *  validity period.
+ *  The token value is stored in encrypted form.
+ *  /
+ */
 export class AuthenticationToken {
     constructor(partial) {
+        /**
+         *
+         *  The encrypted token string.
+         */
         this.token = undefined;
+        /**
+         *
+         *  The epoch-millisecond timestamp of a hard deletion, if the token has been marked for deletion.
+         */
         this.deletionDate = undefined;
         if ('token' in partial)
             this.token = partial.token;

package/model/security/Enable2faRequest.d.mts

@@ -1,5 +1,18 @@
+/**
+ *
+ *
+ *   Request payload for enabling two-factor authentication (2FA) for a user account.
+ */
 export declare class Enable2faRequest {
+    /**
+     *
+     *  The shared TOTP secret used to generate one-time passwords.
+     */
     secret: string;
+    /**
+     *
+     *  The number of digits in each generated one-time password.
+     */
     otpLength: number;
     constructor(partial: Partial<Enable2faRequest> & Pick<Enable2faRequest, "secret" | "otpLength">);
     toJSON(): object;

package/model/security/Enable2faRequest.mjs

@@ -1,5 +1,10 @@
 // auto-generated file
 import { expectNumber, expectString, extractEntry } from '../../internal/JsonDecodeUtils.mjs';
+/**
+ *
+ *
+ *   Request payload for enabling two-factor authentication (2FA) for a user account.
+ */
 export class Enable2faRequest {
     constructor(partial) {
         this.secret = partial.secret;

package/model/security/ExternalJwtConfig.d.mts

@@ -1,7 +1,25 @@
 import { AuthenticationClass } from '../embed/AuthenticationClass.mjs';
+/**
+ *
+ *  Configuration for authenticating users via an externally-issued JWT. Specifies how the token
+ *  should be validated and which JWT field is used to locate the matching iCure user.
+ *  /
+ */
 export declare class ExternalJwtConfig {
+    /**
+     *
+     *  The method used to verify the external JWT signature (public-key or OIDC discovery).
+     */
     validationMethod: ExternalJwtConfig.ValidationMethod;
+    /**
+     *
+     *  The JWT field selector that identifies which user field to match against.
+     */
     fieldSelector: ExternalJwtConfig.FieldSelector;
+    /**
+     *
+     *  The authentication class assigned to sessions created through this configuration.
+     */
     authenticationClass: AuthenticationClass;
     constructor(partial: Partial<ExternalJwtConfig> & Pick<ExternalJwtConfig, "validationMethod" | "fieldSelector">);
     toJSON(): object;
@@ -9,17 +27,48 @@ export declare class ExternalJwtConfig {
 }
 export declare namespace ExternalJwtConfig {
     namespace ValidationMethod {
+        /**
+         *
+         *  Validates the JWT using a static public key.
+         *  /
+         */
         class PublicKey {
+            /**
+             *
+             *  The PEM-encoded or Base64-encoded public key material.
+             */
             key: string;
+            /**
+             *
+             *  The signature algorithm to use; defaults to the algorithm declared in the JWT header when
+             *  null.
+             */
             signatureAlgorithm: string | undefined;
+            /**
+             *
+             *  An optional client identifier to verify against the JWT audience claim.
+             */
             clientId: string | undefined;
             readonly $ktClass: 'com.icure.cardinal.sdk.model.security.ExternalJwtConfig.ValidationMethod.PublicKey';
             constructor(partial: Partial<PublicKey> & Pick<PublicKey, "key">);
             toJSON(): object;
             static fromJSON(json: any, ignoreUnknownKeys?: boolean, path?: Array<string>): PublicKey;
         }
+        /**
+         *
+         *
+         *   Validates the JWT using OIDC discovery from the specified issuer location.
+         */
         class Oidc {
+            /**
+             *
+             *  The OIDC issuer URL used to retrieve the JWKS for signature verification.
+             */
             issuerLocation: string;
+            /**
+             *
+             *  An optional client identifier to verify against the JWT audience claim.
+             */
             clientId: string | undefined;
             readonly $ktClass: 'com.icure.cardinal.sdk.model.security.ExternalJwtConfig.ValidationMethod.Oidc';
             constructor(partial: Partial<Oidc> & Pick<Oidc, "issuerLocation">);
@@ -28,38 +77,93 @@ export declare namespace ExternalJwtConfig {
         }
         function fromJSON(json: any, ignoreUnknownKeys?: boolean, path?: Array<string>): ValidationMethod;
     }
+    /**
+     *
+     *  Sealed interface representing the strategy used to validate the external JWT signature.
+     *  /
+     */
     type ValidationMethod = ValidationMethod.PublicKey | ValidationMethod.Oidc;
     namespace FieldSelector {
+        /**
+         *
+         *
+         *   Selects users by matching a JWT field against the user's local identifier.
+         */
         class LocalId {
+            /**
+             *
+             *  The name of the JWT claim containing the local identifier value.
+             */
             fieldName: string;
             readonly $ktClass: 'com.icure.cardinal.sdk.model.security.ExternalJwtConfig.FieldSelector.LocalId';
             constructor(partial: Partial<LocalId> & Pick<LocalId, "fieldName">);
             toJSON(): object;
             static fromJSON(json: any, ignoreUnknownKeys?: boolean, path?: Array<string>): LocalId;
         }
+        /**
+         *
+         *
+         *   Selects users by matching a JWT field against the user's email address.
+         */
         class Email {
+            /**
+             *
+             *  The name of the JWT claim containing the email value.
+             */
             fieldName: string;
             readonly $ktClass: 'com.icure.cardinal.sdk.model.security.ExternalJwtConfig.FieldSelector.Email';
             constructor(partial: Partial<Email> & Pick<Email, "fieldName">);
             toJSON(): object;
             static fromJSON(json: any, ignoreUnknownKeys?: boolean, path?: Array<string>): Email;
         }
+        /**
+         *
+         *
+         *   Selects users by matching a JWT field against the user's mobile phone number.
+         */
         class MobilePhone {
+            /**
+             *
+             *  The name of the JWT claim containing the mobile phone value.
+             */
             fieldName: string;
             readonly $ktClass: 'com.icure.cardinal.sdk.model.security.ExternalJwtConfig.FieldSelector.MobilePhone';
             constructor(partial: Partial<MobilePhone> & Pick<MobilePhone, "fieldName">);
             toJSON(): object;
             static fromJSON(json: any, ignoreUnknownKeys?: boolean, path?: Array<string>): MobilePhone;
         }
+        /**
+         *
+         *
+         *   Selects users by matching a JWT field against the user's username.
+         */
         class Username {
+            /**
+             *
+             *  The name of the JWT claim containing the username value.
+             */
             fieldName: string;
             readonly $ktClass: 'com.icure.cardinal.sdk.model.security.ExternalJwtConfig.FieldSelector.Username';
             constructor(partial: Partial<Username> & Pick<Username, "fieldName">);
             toJSON(): object;
             static fromJSON(json: any, ignoreUnknownKeys?: boolean, path?: Array<string>): Username;
         }
+        /**
+         *
+         *
+         *   Selects users by matching a JWT field against a structured identifier with a specific
+         *  assigner.
+         */
         class Identifier {
+            /**
+             *
+             *  The assigner system for the identifier to match against.
+             */
             identifierAssigner: string;
+            /**
+             *
+             *  The name of the JWT claim containing the identifier value.
+             */
             fieldName: string;
             readonly $ktClass: 'com.icure.cardinal.sdk.model.security.ExternalJwtConfig.FieldSelector.Identifier';
             constructor(partial: Partial<Identifier> & Pick<Identifier, "identifierAssigner" | "fieldName">);
@@ -68,5 +172,11 @@ export declare namespace ExternalJwtConfig {
         }
         function fromJSON(json: any, ignoreUnknownKeys?: boolean, path?: Array<string>): FieldSelector;
     }
+    /**
+     *
+     *  Sealed interface representing the strategy used to extract the user-matching value from the
+     *  external JWT claims.
+     *  /
+     */
     type FieldSelector = FieldSelector.LocalId | FieldSelector.Email | FieldSelector.MobilePhone | FieldSelector.Username | FieldSelector.Identifier;
 }

package/model/security/ExternalJwtConfig.mjs

@@ -1,8 +1,18 @@
 // auto-generated file
 import { expectObject, expectString, expectStringEnum, extractEntry } from '../../internal/JsonDecodeUtils.mjs';
 import { AuthenticationClass } from '../embed/AuthenticationClass.mjs';
+/**
+ *
+ *  Configuration for authenticating users via an externally-issued JWT. Specifies how the token
+ *  should be validated and which JWT field is used to locate the matching iCure user.
+ *  /
+ */
 export class ExternalJwtConfig {
     constructor(partial) {
+        /**
+         *
+         *  The authentication class assigned to sessions created through this configuration.
+         */
         this.authenticationClass = AuthenticationClass.ExternalAuthentication;
         this.validationMethod = partial.validationMethod;
         this.fieldSelector = partial.fieldSelector;
@@ -36,9 +46,23 @@ export class ExternalJwtConfig {
 (function (ExternalJwtConfig) {
     let ValidationMethod;
     (function (ValidationMethod) {
+        /**
+         *
+         *  Validates the JWT using a static public key.
+         *  /
+         */
         class PublicKey {
             constructor(partial) {
+                /**
+                 *
+                 *  The signature algorithm to use; defaults to the algorithm declared in the JWT header when
+                 *  null.
+                 */
                 this.signatureAlgorithm = undefined;
+                /**
+                 *
+                 *  An optional client identifier to verify against the JWT audience claim.
+                 */
                 this.clientId = undefined;
                 this.$ktClass = 'com.icure.cardinal.sdk.model.security.ExternalJwtConfig.ValidationMethod.PublicKey';
                 this.key = partial.key;
@@ -77,8 +101,17 @@ export class ExternalJwtConfig {
             }
         }
         ValidationMethod.PublicKey = PublicKey;
+        /**
+         *
+         *
+         *   Validates the JWT using OIDC discovery from the specified issuer location.
+         */
         class Oidc {
             constructor(partial) {
+                /**
+                 *
+                 *  An optional client identifier to verify against the JWT audience claim.
+                 */
                 this.clientId = undefined;
                 this.$ktClass = 'com.icure.cardinal.sdk.model.security.ExternalJwtConfig.ValidationMethod.Oidc';
                 this.issuerLocation = partial.issuerLocation;
@@ -123,6 +156,11 @@ export class ExternalJwtConfig {
     })(ValidationMethod = ExternalJwtConfig.ValidationMethod || (ExternalJwtConfig.ValidationMethod = {}));
     let FieldSelector;
     (function (FieldSelector) {
+        /**
+         *
+         *
+         *   Selects users by matching a JWT field against the user's local identifier.
+         */
         class LocalId {
             constructor(partial) {
                 this.$ktClass = 'com.icure.cardinal.sdk.model.security.ExternalJwtConfig.FieldSelector.LocalId';
@@ -152,6 +190,11 @@ export class ExternalJwtConfig {
             }
         }
         FieldSelector.LocalId = LocalId;
+        /**
+         *
+         *
+         *   Selects users by matching a JWT field against the user's email address.
+         */
         class Email {
             constructor(partial) {
                 this.$ktClass = 'com.icure.cardinal.sdk.model.security.ExternalJwtConfig.FieldSelector.Email';
@@ -181,6 +224,11 @@ export class ExternalJwtConfig {
             }
         }
         FieldSelector.Email = Email;
+        /**
+         *
+         *
+         *   Selects users by matching a JWT field against the user's mobile phone number.
+         */
         class MobilePhone {
             constructor(partial) {
                 this.$ktClass = 'com.icure.cardinal.sdk.model.security.ExternalJwtConfig.FieldSelector.MobilePhone';
@@ -210,6 +258,11 @@ export class ExternalJwtConfig {
             }
         }
         FieldSelector.MobilePhone = MobilePhone;
+        /**
+         *
+         *
+         *   Selects users by matching a JWT field against the user's username.
+         */
         class Username {
             constructor(partial) {
                 this.$ktClass = 'com.icure.cardinal.sdk.model.security.ExternalJwtConfig.FieldSelector.Username';
@@ -239,6 +292,12 @@ export class ExternalJwtConfig {
             }
         }
         FieldSelector.Username = Username;
+        /**
+         *
+         *
+         *   Selects users by matching a JWT field against a structured identifier with a specific
+         *  assigner.
+         */
         class Identifier {
             constructor(partial) {
                 this.$ktClass = 'com.icure.cardinal.sdk.model.security.ExternalJwtConfig.FieldSelector.Identifier';

package/model/security/LoginIdentifier.d.mts

@@ -1,5 +1,19 @@
+/**
+ *
+ *  A structured identifier used to match a user during login, composed of an assigner system and a
+ *  value within that system.
+ *  /
+ */
 export declare class LoginIdentifier {
+    /**
+     *
+     *  The system or authority that issued or manages this identifier.
+     */
     assigner: string;
+    /**
+     *
+     *  The identifier value within the assigner's namespace.
+     */
     value: string;
     constructor(partial: Partial<LoginIdentifier> & Pick<LoginIdentifier, "assigner" | "value">);
     toJSON(): object;

package/model/security/LoginIdentifier.mjs

@@ -1,5 +1,11 @@
 // auto-generated file
 import { expectString, extractEntry } from '../../internal/JsonDecodeUtils.mjs';
+/**
+ *
+ *  A structured identifier used to match a user during login, composed of an assigner system and a
+ *  value within that system.
+ *  /
+ */
 export class LoginIdentifier {
     constructor(partial) {
         this.assigner = partial.assigner;

package/model/security/Operation.d.mts

@@ -1,3 +1,8 @@
+/**
+ *
+ *
+ *   Enumerates privileged operations that can be authorized via a dedicated operation token.
+ */
 export declare enum Operation {
     TransferGroup = "TransferGroup"
 }

package/model/security/Operation.mjs

@@ -1,4 +1,9 @@
 // auto-generated file
+/**
+ *
+ *
+ *   Enumerates privileged operations that can be authorized via a dedicated operation token.
+ */
 export var Operation;
 (function (Operation) {
     Operation["TransferGroup"] = "TransferGroup";

package/model/security/OperationToken.d.mts

@@ -1,9 +1,36 @@
 import { Operation } from './Operation.mjs';
+/**
+ *
+ *  Represents a short-lived token that authorizes a single privileged operation (e.g. group
+ *  transfer).
+ *  The token is stored as a hash rather than in plain text.
+ *  /
+ */
 export declare class OperationToken {
+    /**
+     *
+     *  The hash of the operation token.
+     */
     tokenHash: string;
+    /**
+     *
+     *  The epoch-millisecond timestamp at which the token was created.
+     */
     creationTime: number;
+    /**
+     *
+     *  The duration in seconds for which the token remains valid after creation.
+     */
     validity: number;
+    /**
+     *
+     *  The specific operation this token is intended to authorize.
+     */
     operation: Operation;
+    /**
+     *
+     *  An optional human-readable description of the token's purpose.
+     */
     description: string | undefined;
     constructor(partial: Partial<OperationToken> & Pick<OperationToken, "tokenHash" | "creationTime" | "validity" | "operation">);
     toJSON(): object;

package/model/security/OperationToken.mjs

@@ -1,8 +1,19 @@
 // auto-generated file
 import { expectNumber, expectString, expectStringEnum, extractEntry } from '../../internal/JsonDecodeUtils.mjs';
 import { Operation } from './Operation.mjs';
+/**
+ *
+ *  Represents a short-lived token that authorizes a single privileged operation (e.g. group
+ *  transfer).
+ *  The token is stored as a hash rather than in plain text.
+ *  /
+ */
 export class OperationToken {
     constructor(partial) {
+        /**
+         *
+         *  An optional human-readable description of the token's purpose.
+         */
         this.description = undefined;
         this.tokenHash = partial.tokenHash;
         this.creationTime = partial.creationTime;

package/model/security/Permission.d.mts

@@ -1,6 +1,20 @@
 import { PermissionItem } from './PermissionItem.mjs';
+/**
+ *
+ *  Represents the combined set of granted and revoked permissions for a user or role.
+ *  Revocations take precedence over grants when both apply to the same permission type.
+ *  /
+ */
 export declare class Permission {
+    /**
+     *
+     *  The set of permission items that are explicitly granted.
+     */
     grants: Array<PermissionItem>;
+    /**
+     *
+     *  The set of permission items that are explicitly revoked.
+     */
     revokes: Array<PermissionItem>;
     constructor(partial: Partial<Permission>);
     toJSON(): object;

package/model/security/Permission.mjs

@@ -1,9 +1,23 @@
 // auto-generated file
 import { expectArray, expectObject, extractEntry } from '../../internal/JsonDecodeUtils.mjs';
 import { PermissionItem } from './PermissionItem.mjs';
+/**
+ *
+ *  Represents the combined set of granted and revoked permissions for a user or role.
+ *  Revocations take precedence over grants when both apply to the same permission type.
+ *  /
+ */
 export class Permission {
     constructor(partial) {
+        /**
+         *
+         *  The set of permission items that are explicitly granted.
+         */
         this.grants = [];
+        /**
+         *
+         *  The set of permission items that are explicitly revoked.
+         */
         this.revokes = [];
         if ('grants' in partial && partial.grants !== undefined)
             this.grants = partial.grants;

package/model/security/PermissionItem.d.mts

@@ -1,4 +1,11 @@
 import { AlwaysPermissionItem } from './AlwaysPermissionItem.mjs';
+/**
+ *
+ *  Sealed interface representing a single permission entry that pairs a permission type with a
+ *  predicate.
+ *  The predicate defines the condition under which the permission applies.
+ *  /
+ */
 export type PermissionItem = AlwaysPermissionItem;
 export declare namespace PermissionItem {
     function fromJSON(json: any, ignoreUnknownKeys?: boolean, path?: Array<string>): PermissionItem;

package/model/security/PermissionType.d.mts

@@ -1,3 +1,9 @@
+/**
+ *
+ *
+ *   Enumerates the categories of operations or data access that can be granted or revoked as
+ *  permissions in iCure.
+ */
 export declare enum PermissionType {
     Authenticate = "Authenticate",
     Hcp = "Hcp",

package/model/security/PermissionType.mjs

@@ -1,4 +1,10 @@
 // auto-generated file
+/**
+ *
+ *
+ *   Enumerates the categories of operations or data access that can be granted or revoked as
+ *  permissions in iCure.
+ */
 export var PermissionType;
 (function (PermissionType) {
     PermissionType["Authenticate"] = "Authenticate";

package/model/security/TokenWithGroup.d.mts

@@ -1,6 +1,23 @@
+/**
+ *
+ *
+ *   Associates a JWT or authentication token with the group context in which it is valid.
+ */
 export declare class TokenWithGroup {
+    /**
+     *
+     *  The authentication token string.
+     */
     token: string;
+    /**
+     *
+     *  The identifier of the group this token is scoped to.
+     */
     groupId: string;
+    /**
+     *
+     *  The human-readable name of the group, if available.
+     */
     groupName: string | undefined;
     constructor(partial: Partial<TokenWithGroup> & Pick<TokenWithGroup, "token" | "groupId">);
     toJSON(): object;

package/model/security/TokenWithGroup.mjs

@@ -1,7 +1,16 @@
 // auto-generated file
 import { expectString, extractEntry } from '../../internal/JsonDecodeUtils.mjs';
+/**
+ *
+ *
+ *   Associates a JWT or authentication token with the group context in which it is valid.
+ */
 export class TokenWithGroup {
     constructor(partial) {
+        /**
+         *
+         *  The human-readable name of the group, if available.
+         */
         this.groupName = undefined;
         this.token = partial.token;
         this.groupId = partial.groupId;

package/model/specializations/AesExchangeKeyEncryptionKeypairIdentifier.d.mts

@@ -1,2 +1,9 @@
 import { Tagged } from '../../internal/TaggedType.mjs';
+/**
+ *
+ *  A string that represents the keypair used for the encryption of an aes exchange key entry. This should usually be
+ *  a fingerprint v1, but due to bugs in older iCure version it may also be a public key in hex-encoded spki format, or
+ *  due to corruption of some healthcare parties public key it may also be an empty string, to represent the fact that
+ *  the key used for the encryption is unknown.
+ */
 export type AesExchangeKeyEncryptionKeypairIdentifier = Tagged<string, 'com.icure.cardinal.sdk.model.specializations.AesExchangeKeyEncryptionKeypairIdentifier'>;

package/options/AuthenticationMethod.d.mts

@@ -84,7 +84,12 @@ export declare namespace AuthenticationMethod {
             /**
              * During login consider only configurations that can provide at least this authentication class
              */
-            readonly minimumAuthenticationClass?: AuthenticationClass | undefined;
+            readonly minimumAuthenticationClass: AuthenticationClass | undefined;
+            /**
+             * (INTERNAL USE ONLY) only use the project id specified in the initialize method to choose the configuration of
+             * the external token, but not the group where to log in. This is probably not the option you are looking for.
+             */
+            readonly doNotUseProjectIdForGroupSelection: boolean | undefined;
             constructor(
             /**
              * The id of the configuration that specifies how the token should be validated and how it should be used to find
@@ -96,11 +101,10 @@ export declare namespace AuthenticationMethod {
             /**
              * A token used to perform the external authentication
              */
-            token: string, 
-            /**
-             * During login consider only configurations that can provide at least this authentication class
-             */
-            minimumAuthenticationClass?: AuthenticationClass | undefined);
+            token: string, props?: {
+                minimumAuthenticationClass?: AuthenticationClass;
+                doNotUseProjectIdForGroupSelection?: boolean;
+            });
         }
         class JwtCredentials {
             /**
@@ -193,7 +197,10 @@ export declare namespace SecretProviderAuthenticationOptions {
         class ExternalAuthenticationToken {
             readonly token: string;
             readonly configId: string;
-            constructor(token: string, configId: string);
+            readonly doNotUseProjectIdForGroupSelection: boolean | undefined;
+            constructor(token: string, configId: string, props?: {
+                doNotUseProjectIdForGroupSelection?: boolean;
+            });
         }
     }
     type InitialSecret = InitialSecret.Password | InitialSecret.LongLivedToken | InitialSecret.ExternalAuthenticationToken;
@@ -272,7 +279,8 @@ export declare namespace AuthSecretDetails {
     class ConfiguredExternalAuthenticationDetails {
         readonly configId: string;
         readonly secret: string;
-        readonly minimumAuthenticationClass?: AuthenticationClass | undefined;
+        readonly minimumAuthenticationClass: AuthenticationClass | undefined;
+        readonly doNotUseProjectIdForGroupSelection: boolean | undefined;
         /**
          * Login using a token or other secret provided by another authentication service configured for your project.
          *
@@ -282,10 +290,16 @@ export declare namespace AuthSecretDetails {
          *
          * @param configId id of the configuration to use for authentication.
          * @param secret the token or another secret that will be used for authentication.
-         * @param minimumAuthenticationClass only consider configurations that can provide at least this authentication class. The actual
+         * @param props
+         *  - minimumAuthenticationClass only consider configurations that can provide at least this authentication class. The actual
          * authentication class obtained for the token may be higher.
+         *  - doNotUseProjectIdForGroupSelection (INTERNAL USE ONLY) only use the project id specified in the initialize method to choose the configuration of
+         *     the external token, but not the group where to log in. This is probably not the option you are looking for.
          */
-        constructor(configId: string, secret: string, minimumAuthenticationClass?: AuthenticationClass | undefined);
+        constructor(configId: string, secret: string, props?: {
+            minimumAuthenticationClass?: AuthenticationClass;
+            doNotUseProjectIdForGroupSelection?: boolean;
+        });
     }
 }
 export type AuthSecretDetails = AuthSecretDetails.PasswordDetails | AuthSecretDetails.TwoFactorAuthTokenDetails | AuthSecretDetails.ShortLivedTokenDetails | AuthSecretDetails.LongLivedTokenDetails | AuthSecretDetails.ConfiguredExternalAuthenticationDetails;