@idp.global/interfaces 1.2.0 → 3.0.0

package/changelog.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## 2026-06-21 - 3.0.0
+
+### Breaking Changes
+
+- require PKCE parameters and refresh token family IDs (oidc)
+  - Require codeChallenge and codeChallengeMethod on OIDC authorization code data and authorization request contracts.
+  - Add required familyId to refresh token data for rotation family tracking.
+
+## 2026-06-20 - 2.0.0
+
+### Breaking Changes
+
+- update invitation contracts for hashed tokens and JWT acceptance (userinvitation)
+  - Split public invitation data from internal persisted records and expose tokenHash only on IUserInvitationRecord
+  - Replace userId with jwt in the acceptInvitation request contract
+  - Bump tsdoc and Node type dev dependencies
+
 ## 2026-06-10 - 1.2.0
 
 ### Features

package/dist_ts/00_commitinfo_data.js

@@ -3,7 +3,7 @@
  */
 export const commitinfo = {
     name: '@idp.global/interfaces',
-    version: '1.2.0',
+    version: '3.0.0',
     description: 'Shared TypeScript interfaces and TypedRequest contracts for the idp.global ecosystem.'
 };
 //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiMDBfY29tbWl0aW5mb19kYXRhLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vdHMvMDBfY29tbWl0aW5mb19kYXRhLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOztHQUVHO0FBQ0gsTUFBTSxDQUFDLE1BQU0sVUFBVSxHQUFHO0lBQ3hCLElBQUksRUFBRSx3QkFBd0I7SUFDOUIsT0FBTyxFQUFFLE9BQU87SUFDaEIsV0FBVyxFQUFFLHVGQUF1RjtDQUNyRyxDQUFBIn0=

package/dist_ts/data/oidc.d.ts

@@ -22,9 +22,9 @@ export interface IAuthorizationCode {
         /** Redirect URI used in authorization request */
         redirectUri: string;
         /** PKCE code challenge (S256 hashed) */
-        codeChallenge?: string;
+        codeChallenge: string;
         /** PKCE code challenge method */
-        codeChallengeMethod?: 'S256';
+        codeChallengeMethod: 'S256';
         /** Nonce from authorization request (for ID token) */
         nonce?: string;
         /** Expiration timestamp (10 minutes from creation) */
@@ -69,6 +69,8 @@ export interface IOidcRefreshToken {
         userId: string;
         /** Granted scopes */
         scopes: TOidcScope[];
+        /** Rotation family identifier for refresh token reuse detection */
+        familyId: string;
         /** Expiration timestamp */
         expiresAt: number;
         /** Creation timestamp */

package/dist_ts/data/userinvitation.d.ts

@@ -7,26 +7,35 @@
  */
 export interface IUserInvitation {
     id: string;
-    data: {
-        /** The invited email address - unique key for sharing across orgs */
-        email: string;
-        /** Secure token for invitation link validation */
-        token: string;
-        /** Current status of the invitation */
-        status: 'pending' | 'accepted' | 'expired' | 'cancelled';
-        /** When the invitation was first created */
-        createdAt: number;
-        /** When the invitation expires (createdAt + 90 days) */
-        expiresAt: number;
-        /**
-         * Organizations that have invited this email.
-         * Multiple orgs can link to the same invitation.
-         */
-        organizationRefs: IOrganizationInvitationRef[];
-        /** When the invitation was accepted (user registered/folded) */
-        acceptedAt?: number;
-        /** The User ID after conversion (when accepted) */
-        convertedToUserId?: string;
+    data: IUserInvitationData;
+}
+export interface IUserInvitationData {
+    /** The invited email address - unique key for sharing across orgs */
+    email: string;
+    /** Current status of the invitation */
+    status: 'pending' | 'accepted' | 'expired' | 'cancelled';
+    /** When the invitation was first created */
+    createdAt: number;
+    /** When the invitation expires (createdAt + 90 days) */
+    expiresAt: number;
+    /**
+     * Organizations that have invited this email.
+     * Multiple orgs can link to the same invitation.
+     */
+    organizationRefs: IOrganizationInvitationRef[];
+    /** When the invitation was accepted (user registered/folded) */
+    acceptedAt?: number;
+    /** The User ID after conversion (when accepted) */
+    convertedToUserId?: string;
+}
+/**
+ * Internal persisted invitation record. Do not return this shape to clients.
+ */
+export interface IUserInvitationRecord {
+    id: string;
+    data: IUserInvitationData & {
+        /** Hashed one-time invitation token for link validation */
+        tokenHash: string;
     };
 }
 /**

package/dist_ts/request/authorization.d.ts

@@ -22,8 +22,8 @@ export interface IReq_CompleteOidcAuthorization extends plugins.typedRequestInte
         scope: string;
         state: string;
         prompt?: 'none' | 'login' | 'consent';
-        codeChallenge?: string;
-        codeChallengeMethod?: 'S256';
+        codeChallenge: string;
+        codeChallengeMethod: 'S256';
         nonce?: string;
         consentApproved?: boolean;
     };
@@ -41,8 +41,8 @@ export interface IReq_PrepareOidcAuthorization extends plugins.typedRequestInter
         scope: string;
         state: string;
         prompt?: 'none' | 'login' | 'consent';
-        codeChallenge?: string;
-        codeChallengeMethod?: 'S256';
+        codeChallenge: string;
+        codeChallengeMethod: 'S256';
         nonce?: string;
     };
     response: {

package/dist_ts/request/userinvitation.d.ts

@@ -127,13 +127,13 @@ export interface IReq_TransferOwnership extends plugins.typedRequestInterfaces.i
     };
 }
 /**
- * Accept an invitation (called during registration or email verification)
+ * Accept an invitation for the authenticated user.
  */
 export interface IReq_AcceptInvitation extends plugins.typedRequestInterfaces.implementsTR<plugins.typedRequestInterfaces.ITypedRequest, IReq_AcceptInvitation> {
     method: 'acceptInvitation';
     request: {
         token: string;
-        userId: string;
+        jwt: string;
     };
     response: {
         success: boolean;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@idp.global/interfaces",
-  "version": "1.2.0",
+  "version": "3.0.0",
   "private": false,
   "description": "Shared TypeScript interfaces and TypedRequest contracts for the idp.global ecosystem.",
   "exports": {
@@ -15,10 +15,10 @@
   },
   "devDependencies": {
     "@git.zone/tsbuild": "^4.4.2",
-    "@git.zone/tsdoc": "^2.0.6",
+    "@git.zone/tsdoc": "^2.1.1",
     "@git.zone/tsrun": "^2.0.4",
     "@git.zone/tstest": "^3.6.6",
-    "@types/node": "^25.9.2"
+    "@types/node": "^26.0.0"
   },
   "files": [
     "ts/**/*",

package/ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@idp.global/interfaces',
-  version: '1.2.0',
+  version: '3.0.0',
   description: 'Shared TypeScript interfaces and TypedRequest contracts for the idp.global ecosystem.'
 }

package/ts/data/oidc.ts

@@ -24,9 +24,9 @@ export interface IAuthorizationCode {
     /** Redirect URI used in authorization request */
     redirectUri: string;
     /** PKCE code challenge (S256 hashed) */
-    codeChallenge?: string;
+    codeChallenge: string;
     /** PKCE code challenge method */
-    codeChallengeMethod?: 'S256';
+    codeChallengeMethod: 'S256';
     /** Nonce from authorization request (for ID token) */
     nonce?: string;
     /** Expiration timestamp (10 minutes from creation) */
@@ -73,6 +73,8 @@ export interface IOidcRefreshToken {
     userId: string;
     /** Granted scopes */
     scopes: TOidcScope[];
+    /** Rotation family identifier for refresh token reuse detection */
+    familyId: string;
     /** Expiration timestamp */
     expiresAt: number;
     /** Creation timestamp */

package/ts/data/userinvitation.ts

@@ -9,13 +9,13 @@ import * as plugins from '../plugins.js';
  */
 export interface IUserInvitation {
   id: string;
-  data: {
+  data: IUserInvitationData;
+}
+
+export interface IUserInvitationData {
     /** The invited email address - unique key for sharing across orgs */
     email: string;
 
-    /** Secure token for invitation link validation */
-    token: string;
-
     /** Current status of the invitation */
     status: 'pending' | 'accepted' | 'expired' | 'cancelled';
 
@@ -36,6 +36,16 @@ export interface IUserInvitation {
 
     /** The User ID after conversion (when accepted) */
     convertedToUserId?: string;
+}
+
+/**
+ * Internal persisted invitation record. Do not return this shape to clients.
+ */
+export interface IUserInvitationRecord {
+  id: string;
+  data: IUserInvitationData & {
+    /** Hashed one-time invitation token for link validation */
+    tokenHash: string;
   };
 }
 

package/ts/request/authorization.ts

@@ -32,8 +32,8 @@ export interface IReq_CompleteOidcAuthorization
     scope: string;
     state: string;
     prompt?: 'none' | 'login' | 'consent';
-    codeChallenge?: string;
-    codeChallengeMethod?: 'S256';
+    codeChallenge: string;
+    codeChallengeMethod: 'S256';
     nonce?: string;
     consentApproved?: boolean;
   };
@@ -56,8 +56,8 @@ export interface IReq_PrepareOidcAuthorization
     scope: string;
     state: string;
     prompt?: 'none' | 'login' | 'consent';
-    codeChallenge?: string;
-    codeChallengeMethod?: 'S256';
+    codeChallenge: string;
+    codeChallengeMethod: 'S256';
     nonce?: string;
   };
   response: {

package/ts/request/userinvitation.ts

@@ -168,7 +168,7 @@ export interface IReq_TransferOwnership
 }
 
 /**
- * Accept an invitation (called during registration or email verification)
+ * Accept an invitation for the authenticated user.
  */
 export interface IReq_AcceptInvitation
   extends plugins.typedRequestInterfaces.implementsTR<
@@ -178,7 +178,7 @@ export interface IReq_AcceptInvitation
   method: 'acceptInvitation';
   request: {
     token: string;
-    userId: string;
+    jwt: string;
   };
   response: {
     success: boolean;