@idp.global/interfaces 1.0.1

package/ts/readme.md

@@ -0,0 +1,133 @@
+# @idp.global/interfaces
+
+Shared TypeScript contracts for the `idp.global` backend, browser client, CLI, and frontend.
+
+Use this package when you want typed request/response payloads and shared data models for users, sessions, organizations, apps, billing, passport devices, alerts, and OIDC.
+
+## Issue Reporting and Security
+
+For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
+
+## Install
+
+```bash
+pnpm add @idp.global/interfaces
+```
+
+## Quick Start
+
+```ts
+import { data, request, tags } from '@idp.global/interfaces';
+
+const loginRequest: request.IReq_LoginWithEmailOrUsernameAndPassword['request'] = {
+  username: 'user@example.com',
+  password: 'secret',
+};
+
+const organization: data.IOrganization = {
+  id: 'org_1',
+  data: {
+    name: 'Acme',
+    slug: 'acme',
+    billingPlanId: 'plan_free',
+    roleIds: [],
+  },
+};
+```
+
+## Exports
+
+### `data`
+
+The `data` export includes types for:
+
+- users
+- organizations
+- roles
+- JWT payloads
+- login sessions
+- devices
+- activity logs
+- alerts and alert rules
+- apps and app connections
+- billing plans and Paddle checkout data
+- passport devices, challenges, and nonces
+- abuse windows
+- OIDC data structures
+- invitations
+
+### `request`
+
+The `request` export includes typed request contracts for:
+
+- login, logout, refresh, password reset, and device attachment
+- registration flow requests
+- user and session queries
+- organization CRUD-style requests
+- invitations and membership changes
+- app and admin actions
+- billing and JWT validation support
+- alert and passport approval flows
+- OIDC authorization preparation and completion
+
+### `tags`
+
+Shared tag exports live under `tags/`.
+
+## Layout
+
+| Path | Purpose |
+| --- | --- |
+| `data/index.ts` | Re-exports all shared data interfaces |
+| `request/index.ts` | Re-exports all typed request contracts |
+| `tags/index.ts` | Re-exports shared tags |
+
+## Examples
+
+### Login Contract
+
+```ts
+type TLogin = request.IReq_LoginWithEmailOrUsernameAndPassword;
+
+const payload: TLogin['request'] = {
+  username: 'user@example.com',
+  password: 'secret',
+};
+```
+
+### Session Contract
+
+```ts
+type TSessions = request.IReq_GetUserSessions['response']['sessions'];
+```
+
+### OIDC Contract
+
+```ts
+type TUserInfo = data.IUserInfoResponse;
+```
+
+## Scope
+
+This package is intentionally contract-only. It does not open sockets, store auth state, or perform HTTP/websocket communication by itself.
+
+## License and Legal Information
+
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
+
+**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
+
+### Trademarks
+
+This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
+
+Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
+
+### Company Information
+
+Task Venture Capital GmbH  
+Registered at District Court Bremen HRB 35230 HB, Germany
+
+For any legal inquiries or further information, please contact us via email at hello@task.vc.
+
+By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.

package/ts/request/admin.ts

@@ -0,0 +1,130 @@
+import * as plugins from '../plugins.js';
+import * as data from '../data/index.js';
+
+/**
+ * Check if the current user is a global admin
+ */
+export interface IReq_CheckGlobalAdmin
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_CheckGlobalAdmin
+  > {
+  method: 'checkGlobalAdmin';
+  request: {
+    jwt: string;
+  };
+  response: {
+    isGlobalAdmin: boolean;
+  };
+}
+
+/**
+ * Get all global apps with statistics (admin only)
+ */
+export interface IReq_GetGlobalAppStats
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_GetGlobalAppStats
+  > {
+  method: 'getGlobalAppStats';
+  request: {
+    jwt: string;
+  };
+  response: {
+    apps: Array<{
+      app: data.IGlobalApp;
+      connectionCount: number;
+    }>;
+  };
+}
+
+/**
+ * Create a new global app (admin only)
+ */
+export interface IReq_CreateGlobalApp
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_CreateGlobalApp
+  > {
+  method: 'createGlobalApp';
+  request: {
+    jwt: string;
+    name: string;
+    description: string;
+    logoUrl: string;
+    appUrl: string;
+    category: string;
+    redirectUris: string[];
+    allowedScopes: string[];
+  };
+  response: {
+    app: data.IGlobalApp;
+    clientSecret: string; // Only shown once on creation
+  };
+}
+
+/**
+ * Update an existing global app (admin only)
+ */
+export interface IReq_UpdateGlobalApp
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_UpdateGlobalApp
+  > {
+  method: 'updateGlobalApp';
+  request: {
+    jwt: string;
+    appId: string;
+    updates: {
+      name?: string;
+      description?: string;
+      logoUrl?: string;
+      appUrl?: string;
+      category?: string;
+      isActive?: boolean;
+      redirectUris?: string[];
+      allowedScopes?: string[];
+    };
+  };
+  response: {
+    app: data.IGlobalApp;
+  };
+}
+
+/**
+ * Delete a global app (admin only)
+ */
+export interface IReq_DeleteGlobalApp
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_DeleteGlobalApp
+  > {
+  method: 'deleteGlobalApp';
+  request: {
+    jwt: string;
+    appId: string;
+  };
+  response: {
+    success: boolean;
+    disconnectedOrganizations: number;
+  };
+}
+
+/**
+ * Regenerate OAuth credentials for a global app (admin only)
+ */
+export interface IReq_RegenerateAppCredentials
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_RegenerateAppCredentials
+  > {
+  method: 'regenerateAppCredentials';
+  request: {
+    jwt: string;
+    appId: string;
+  };
+  response: {
+    clientId: string;
+    clientSecret: string; // Only shown once
+  };
+}

package/ts/request/alert.ts

@@ -0,0 +1,113 @@
+import * as plugins from '../plugins.js';
+import * as data from '../data/index.js';
+import type { IPassportDeviceSignedRequest } from './passport.js';
+
+export interface IReq_ListPassportAlerts
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_ListPassportAlerts
+  > {
+  method: 'listPassportAlerts';
+  request: IPassportDeviceSignedRequest & {
+    includeDismissed?: boolean;
+  };
+  response: {
+    alerts: data.IAlert[];
+  };
+}
+
+export interface IReq_GetPassportAlertByHint
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_GetPassportAlertByHint
+  > {
+  method: 'getPassportAlertByHint';
+  request: IPassportDeviceSignedRequest & {
+    hintId: string;
+  };
+  response: {
+    alert?: data.IAlert;
+  };
+}
+
+export interface IReq_MarkPassportAlertSeen
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_MarkPassportAlertSeen
+  > {
+  method: 'markPassportAlertSeen';
+  request: IPassportDeviceSignedRequest & {
+    hintId: string;
+  };
+  response: {
+    success: boolean;
+  };
+}
+
+export interface IReq_DismissPassportAlert
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_DismissPassportAlert
+  > {
+  method: 'dismissPassportAlert';
+  request: IPassportDeviceSignedRequest & {
+    hintId: string;
+  };
+  response: {
+    success: boolean;
+  };
+}
+
+export interface IReq_UpsertAlertRule
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_UpsertAlertRule
+  > {
+  method: 'upsertAlertRule';
+  request: {
+    jwt: string;
+    ruleId?: string;
+    scope: data.TAlertRuleScope;
+    organizationId?: string;
+    eventType: string;
+    minimumSeverity: data.TAlertSeverity;
+    recipientMode: data.TAlertRuleRecipientMode;
+    recipientUserIds?: string[];
+    push: boolean;
+    enabled: boolean;
+  };
+  response: {
+    rule: data.IAlertRule;
+  };
+}
+
+export interface IReq_GetAlertRules
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_GetAlertRules
+  > {
+  method: 'getAlertRules';
+  request: {
+    jwt: string;
+    scope?: data.TAlertRuleScope;
+    organizationId?: string;
+  };
+  response: {
+    rules: data.IAlertRule[];
+  };
+}
+
+export interface IReq_DeleteAlertRule
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_DeleteAlertRule
+  > {
+  method: 'deleteAlertRule';
+  request: {
+    jwt: string;
+    ruleId: string;
+  };
+  response: {
+    success: boolean;
+  };
+}

package/ts/request/apitoken.ts

@@ -0,0 +1 @@
+export {};

package/ts/request/app.ts

@@ -0,0 +1,71 @@
+import * as data from '../data/index.js';
+import * as plugins from '../plugins.js';
+
+// Get all global apps
+export interface IReq_GetGlobalApps
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_GetGlobalApps
+  > {
+  method: 'getGlobalApps';
+  request: {
+    jwt: string;
+  };
+  response: {
+    apps: data.IGlobalApp[];
+  };
+}
+
+// Get app connections for an organization
+export interface IReq_GetAppConnections
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_GetAppConnections
+  > {
+  method: 'getAppConnections';
+  request: {
+    jwt: string;
+    organizationId: string;
+  };
+  response: {
+    connections: data.IAppConnection[];
+  };
+}
+
+// Connect/disconnect an app for an organization
+export interface IReq_ToggleAppConnection
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_ToggleAppConnection
+  > {
+  method: 'toggleAppConnection';
+  request: {
+    jwt: string;
+    organizationId: string;
+    appId: string;
+    action: 'connect' | 'disconnect';
+  };
+  response: {
+    success: boolean;
+    connection?: data.IAppConnection;
+  };
+}
+
+export interface IReq_UpdateAppRoleMappings
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_UpdateAppRoleMappings
+  > {
+  method: 'updateAppRoleMappings';
+  request: {
+    jwt: string;
+    organizationId: string;
+    appId: string;
+    roleMappings: data.IAppRoleMapping[];
+  };
+  response: {
+    success: boolean;
+    connection: data.IAppConnection;
+    message?: string;
+  };
+}

package/ts/request/authorization.ts

@@ -0,0 +1,72 @@
+import * as plugins from '../plugins.js';
+import { type IUser, type IRole } from '../data/index.js';
+import { type TOidcScope } from '../data/index.js';
+
+export interface IReq_InternalAuthorization
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_InternalAuthorization
+  > {
+  method: '';
+  request: {
+    accountData: IUser;
+    jwt: string;
+  };
+  response: {
+    accountData: IUser;
+    jwt: string;
+    relevantRoles: IRole[];
+  };
+}
+
+export interface IReq_CompleteOidcAuthorization
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_CompleteOidcAuthorization
+  > {
+  method: 'completeOidcAuthorization';
+  request: {
+    jwt: string;
+    clientId: string;
+    redirectUri: string;
+    scope: string;
+    state: string;
+    prompt?: 'none' | 'login' | 'consent';
+    codeChallenge?: string;
+    codeChallengeMethod?: 'S256';
+    nonce?: string;
+    consentApproved?: boolean;
+  };
+  response: {
+    code: string;
+    redirectUrl: string;
+  };
+}
+
+export interface IReq_PrepareOidcAuthorization
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_PrepareOidcAuthorization
+  > {
+  method: 'prepareOidcAuthorization';
+  request: {
+    jwt: string;
+    clientId: string;
+    redirectUri: string;
+    scope: string;
+    state: string;
+    prompt?: 'none' | 'login' | 'consent';
+    codeChallenge?: string;
+    codeChallengeMethod?: 'S256';
+    nonce?: string;
+  };
+  response: {
+    status: 'ready' | 'consent_required';
+    clientId: string;
+    appName: string;
+    appUrl: string;
+    logoUrl?: string;
+    requestedScopes: TOidcScope[];
+    grantedScopes: TOidcScope[];
+  };
+}

package/ts/request/billingplan.ts

@@ -0,0 +1,55 @@
+import * as plugins from '../plugins.js';
+import * as data from '../data/index.js';
+
+export interface IReq_UpdatePaymentMethod
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_UpdatePaymentMethod
+  > {
+  method: 'updatePaymentMethod';
+  request: {
+    jwtString: string;
+    orgId: string;
+    paddle?: {
+      checkoutId: string;
+    };
+  };
+  response: {
+    billingPlan: plugins.tsclass.typeFest.PartialDeep<data.IBillingPlan>;
+  };
+}
+
+/**
+ * allows getting the billing plan for a user
+ */
+export interface IReq_GetBillingPlan
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_GetBillingPlan
+  > {
+  method: 'getBillingPlan';
+  request: {
+    jwtString: string;
+    orgId: string;
+    billingPlanId: string;
+  };
+  response: {
+    billingPlan: data.IBillingPlan;
+  };
+}
+
+/**
+ * Returns Paddle configuration from environment variables
+ */
+export interface IReq_GetPaddleConfig
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_GetPaddleConfig
+  > {
+  method: 'getPaddleConfig';
+  request: {};
+  response: {
+    paddleToken: string;
+    paddlePriceId: string;
+  };
+}

package/ts/request/index.ts

@@ -0,0 +1,14 @@
+export * from './admin.js';
+export * from './apitoken.js';
+export * from './alert.js';
+export * from './app.js';
+export * from './authorization.js';
+export * from './billingplan.js';
+export * from './jwt.js';
+export * from './login.js';
+export * from './organization.js';
+export * from './passport.js';
+export * from './plan.js';
+export * from './registration.js';
+export * from './user.js';
+export * from './userinvitation.js';

package/ts/request/jwt.ts

@@ -0,0 +1,79 @@
+import * as data from '../data/index.js';
+import * as plugins from '../plugins.js';
+
+/**
+ * Request to get the public key for JWT validation.
+ *
+ * **Direction:** Client → idp.global
+ * **Requester:** Backend services that need to verify JWTs
+ * **Handler:** idp.global
+ *
+ * Use this to fetch the current public key for verifying JWT signatures.
+ * The backend token authenticates the requesting service.
+ */
+export interface IReq_GetPublicKeyForValidation
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_GetPublicKeyForValidation
+  > {
+  method: 'getPublicKeyForValidation';
+  request: {
+    backendToken: string;
+  };
+  response: {
+    publicKeyPem: string;
+  };
+}
+
+/**
+ * Push public key to connected backend services for JWT validation.
+ *
+ * **Direction:** idp.global → Client
+ * **Requester:** idp.global (pushes when the JWT signing key rotates)
+ * **Handler:** Backend services - must register a TypedHandler for this method
+ *
+ * Backend services should register a handler using `IdpClient.onPublicKeyPush()`
+ * to receive key rotation updates and update their local key cache.
+ */
+export interface IReq_PushPublicKeyForValidation
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_PushPublicKeyForValidation
+  > {
+  method: 'pushPublicKeyForValidation';
+  request: {
+    publicKeyPem: string;
+  };
+  response: {};
+}
+
+/**
+ * Push or get JWT ID blocklist for revoked tokens.
+ *
+ * **Bidirectional:**
+ * - **GET direction:** Client → idp.global - Client requests current blocklist
+ * - **PUSH direction:** idp.global → Client - Server pushes new blocklisted IDs
+ *
+ * **For GET (client fires):**
+ * - Fire with empty/undefined `blockedJwtIds` to request the full blocklist
+ * - Response contains the complete list of blocked JWT IDs
+ * - Use `IdpClient.requests.getJwtIdBlocklist` for this direction
+ *
+ * **For PUSH (idp.global fires):**
+ * - idp.global sends newly blocklisted JWT IDs to connected clients
+ * - Clients must register a handler using `IdpClient.onBlocklistPush()`
+ * - Store received IDs locally to reject revoked tokens
+ */
+export interface IReq_PushOrGetJwtIdBlocklist
+  extends plugins.typedRequestInterfaces.implementsTR<
+    plugins.typedRequestInterfaces.ITypedRequest,
+    IReq_PushOrGetJwtIdBlocklist
+  > {
+  method: 'pushOrGetJwtIdBlocklist';
+  request: {
+    blockedJwtIds?: string[];
+  };
+  response: {
+    blockedJwtIds?: string[];
+  };
+}