@insureco/bio 0.2.0 → 0.4.0

package/dist/chunk-NK5VXXWF.mjs

@@ -0,0 +1,43 @@
+// src/errors.ts
+var BioError = class extends Error {
+  /** HTTP status code (if from an API response) */
+  statusCode;
+  /** Machine-readable error code (e.g. 'invalid_grant', 'token_expired') */
+  code;
+  /** Additional error details from the API */
+  details;
+  constructor(message, code, statusCode, details) {
+    super(message);
+    this.name = "BioError";
+    this.code = code;
+    this.statusCode = statusCode;
+    this.details = details;
+  }
+};
+
+// src/utils.ts
+function retryDelay(attempt) {
+  const baseDelay = Math.min(1e3 * 2 ** attempt, 5e3);
+  return baseDelay * (0.5 + Math.random() * 0.5);
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function parseJsonResponse(response) {
+  try {
+    return await response.json();
+  } catch {
+    throw new BioError(
+      `Bio-ID returned ${response.status} with non-JSON body`,
+      "parse_error",
+      response.status
+    );
+  }
+}
+
+export {
+  BioError,
+  retryDelay,
+  sleep,
+  parseJsonResponse
+};

package/dist/index.d.mts

@@ -1,259 +1,5 @@
-/** Configuration for BioAuth (OAuth flow client) */
-interface BioAuthConfig {
-    /** OAuth client ID (env: BIO_CLIENT_ID) */
-    clientId: string;
-    /** OAuth client secret (env: BIO_CLIENT_SECRET) */
-    clientSecret: string;
-    /** Bio-ID issuer URL (env: BIO_ID_URL, default: https://bio.tawa.insureco.io) */
-    issuer?: string;
-    /** Number of retry attempts on transient failures (default: 2) */
-    retries?: number;
-    /** Request timeout in milliseconds (default: 10000) */
-    timeoutMs?: number;
-}
-/** Configuration for BioAdmin (admin API client) */
-interface BioAdminConfig {
-    /** Bio-ID base URL (env: BIO_ID_URL, default: https://bio.tawa.insureco.io) */
-    baseUrl?: string;
-    /** Internal API key for service-to-service auth (env: INTERNAL_API_KEY) */
-    internalKey?: string;
-    /** Async function returning a Bearer token (alternative to internalKey) */
-    accessTokenFn?: () => Promise<string>;
-    /** Number of retry attempts on transient failures (default: 2) */
-    retries?: number;
-    /** Request timeout in milliseconds (default: 10000) */
-    timeoutMs?: number;
-}
-/** Options for building an authorization URL */
-interface AuthorizeOptions {
-    /** Callback URL where Bio-ID redirects after authorization */
-    redirectUri: string;
-    /** OAuth scopes to request (default: ['openid', 'profile', 'email']) */
-    scopes?: string[];
-    /** CSRF state parameter (auto-generated if not provided) */
-    state?: string;
-}
-/** Result from getAuthorizationUrl() */
-interface AuthorizeResult {
-    /** Full authorization URL to redirect the user to */
-    url: string;
-    /** State parameter (for CSRF validation on callback) */
-    state: string;
-    /** PKCE code verifier (store securely, send during token exchange) */
-    codeVerifier: string;
-    /** PKCE code challenge (included in the URL) */
-    codeChallenge: string;
-}
-/** Response from the /api/oauth/token endpoint */
-interface TokenResponse {
-    access_token: string;
-    token_type: 'Bearer';
-    expires_in: number;
-    refresh_token?: string;
-    scope: string;
-    id_token?: string;
-}
-/** Response from the /api/auth/introspect endpoint */
-interface IntrospectResult {
-    active: boolean;
-    user?: {
-        id: string;
-        email: string;
-        name: string;
-        org: string;
-        roles: string[];
-    };
-    tokenType?: 'client_credentials';
-    clientId?: string;
-    scopes?: string[];
-    orgId?: string;
-    orgSlug?: string;
-    organizationName?: string;
-}
-/** Decoded access token payload (user auth) */
-interface BioTokenPayload {
-    iss: string;
-    sub: string;
-    aud: string;
-    exp: number;
-    iat: number;
-    bioId: string;
-    email: string;
-    name: string;
-    userType: string;
-    roles: string[];
-    permissions: string[];
-    orgId?: string;
-    orgSlug?: string;
-    client_id: string;
-    scope: string;
-    enabled_modules?: string[];
-    onboarding?: {
-        platform: boolean;
-        modules: Record<string, {
-            completed: string[];
-            due: string[];
-        }>;
-    };
-}
-/** Decoded client credentials token payload (service-to-service) */
-interface BioClientTokenPayload {
-    iss: string;
-    exp: number;
-    iat: number;
-    client_id: string;
-    scope: string;
-    token_type: 'client_credentials';
-    orgId?: string;
-    orgSlug?: string;
-}
-/** Options for local JWT verification (HS256) */
-interface VerifyOptions {
-    /** Expected issuer (default: config issuer) */
-    issuer?: string;
-    /** Expected audience (client_id) */
-    audience?: string;
-}
-/** Options for JWKS-based JWT verification (RS256) */
-interface JWKSVerifyOptions {
-    /** JWKS endpoint URL (default: https://bio.tawa.insureco.io/.well-known/jwks.json) */
-    jwksUri?: string;
-    /** Expected issuer — defaults to accepting both bio.insureco.io and bio.tawa.insureco.io */
-    issuer?: string;
-    /** Expected audience (client_id) */
-    audience?: string;
-}
-/** User profile from /api/oauth/userinfo or admin API */
-interface BioUser {
-    sub: string;
-    bioId: string;
-    email: string;
-    emailVerified: boolean;
-    name: string;
-    firstName?: string;
-    lastName?: string;
-    userType: string;
-    roles: string[];
-    permissions: string[];
-    status: string;
-    orgId?: string;
-    orgSlug?: string;
-    organizationId?: string;
-    organizationName?: string;
-    departmentId?: string;
-    departmentName?: string;
-    managerId?: string;
-    enabledModules?: string[];
-    jobTitle?: string;
-    phoneHome?: string;
-    phoneWork?: string;
-    phoneCell?: string;
-    phone?: string;
-    addressHome?: BioAddress;
-    addressWork?: BioAddress;
-    messaging?: BioMessaging;
-    preferences?: Record<string, unknown>;
-    lastLoginAt?: number;
-}
-interface BioAddress {
-    street?: string;
-    city?: string;
-    state?: string;
-    zip?: string;
-    country?: string;
-}
-interface BioMessaging {
-    slack?: string;
-    teams?: string;
-    skype?: string;
-    whatsapp?: string;
-}
-/** Filters for listing users */
-interface UserFilters {
-    search?: string;
-    status?: string;
-    userType?: string;
-    organizationId?: string;
-    page?: number;
-    limit?: number;
-}
-/** Data for updating a user */
-interface UpdateUserData {
-    firstName?: string;
-    lastName?: string;
-    displayName?: string;
-    roles?: string[];
-    status?: string;
-    userType?: string;
-    departmentId?: string;
-    jobTitle?: string;
-    permissions?: string[];
-    enabled_modules?: string[];
-}
-/** Department from admin API */
-interface BioDepartment {
-    id: string;
-    name: string;
-    description?: string;
-    organizationId: string;
-    headId?: string;
-    parentId?: string;
-    memberCount?: number;
-}
-/** Data for creating a department */
-interface CreateDepartmentData {
-    name: string;
-    description?: string;
-    headId?: string;
-    parentId?: string;
-}
-/** Role from admin API */
-interface BioRole {
-    id: string;
-    name: string;
-    description?: string;
-    permissions: string[];
-    isSystem?: boolean;
-}
-/** Data for creating a role */
-interface CreateRoleData {
-    name: string;
-    description?: string;
-    permissions: string[];
-}
-/** OAuth client from admin API */
-interface BioOAuthClient {
-    clientId: string;
-    name: string;
-    description?: string;
-    redirectUris: string[];
-    allowedScopes: string[];
-    allowedGrantTypes: string[];
-    isActive: boolean;
-    orgId?: string;
-    orgSlug?: string;
-    accessTokenTtl?: number;
-    refreshTokenTtl?: number;
-}
-/** Data for creating an OAuth client */
-interface CreateClientData {
-    name: string;
-    description?: string;
-    redirectUris: string[];
-    allowedScopes?: string[];
-    allowedGrantTypes?: string[];
-}
-/** Admin API response wrapper */
-interface AdminResponse<T> {
-    success: boolean;
-    data?: T;
-    error?: string;
-    meta?: {
-        total: number;
-        page: number;
-        limit: number;
-    };
-}
+import { B as BioAuthConfig, A as AuthorizeOptions, a as AuthorizeResult, T as TokenResponse, b as BioUser, I as IntrospectResult, c as BioAdminConfig, U as UserFilters, d as UpdateUserData, e as BioDepartment, C as CreateDepartmentData, f as BioRole, g as CreateRoleData, h as BioOAuthClient, i as CreateClientData, j as BioTokenPayload, V as VerifyOptions, J as JWKSVerifyOptions } from './types-Dkb-drHZ.mjs';
+export { k as AdminResponse, l as BioAddress, m as BioClientTokenPayload, n as BioMessaging, o as BioUsersConfig, O as OrgMember, p as OrgMemberFilters, q as OrgMembersResult } from './types-Dkb-drHZ.mjs';
 
 /**
  * OAuth flow client for Bio-ID SSO.
@@ -408,4 +154,4 @@ declare function isTokenExpired(token: string, bufferSeconds?: number): boolean;
  */
 declare function verifyTokenJWKS(token: string, options?: JWKSVerifyOptions): Promise<BioTokenPayload>;
 
-export { type AdminResponse, type AuthorizeOptions, type AuthorizeResult, type BioAddress, BioAdmin, type BioAdminConfig, BioAuth, type BioAuthConfig, type BioClientTokenPayload, type BioDepartment, BioError, type BioMessaging, type BioOAuthClient, type BioRole, type BioTokenPayload, type BioUser, type CreateClientData, type CreateDepartmentData, type CreateRoleData, type IntrospectResult, type JWKSVerifyOptions, type TokenResponse, type UpdateUserData, type UserFilters, type VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };
+export { AuthorizeOptions, AuthorizeResult, BioAdmin, BioAdminConfig, BioAuth, BioAuthConfig, BioDepartment, BioError, BioOAuthClient, BioRole, BioTokenPayload, BioUser, CreateClientData, CreateDepartmentData, CreateRoleData, IntrospectResult, JWKSVerifyOptions, TokenResponse, UpdateUserData, UserFilters, VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };

package/dist/index.d.ts

@@ -1,259 +1,5 @@
-/** Configuration for BioAuth (OAuth flow client) */
-interface BioAuthConfig {
-    /** OAuth client ID (env: BIO_CLIENT_ID) */
-    clientId: string;
-    /** OAuth client secret (env: BIO_CLIENT_SECRET) */
-    clientSecret: string;
-    /** Bio-ID issuer URL (env: BIO_ID_URL, default: https://bio.tawa.insureco.io) */
-    issuer?: string;
-    /** Number of retry attempts on transient failures (default: 2) */
-    retries?: number;
-    /** Request timeout in milliseconds (default: 10000) */
-    timeoutMs?: number;
-}
-/** Configuration for BioAdmin (admin API client) */
-interface BioAdminConfig {
-    /** Bio-ID base URL (env: BIO_ID_URL, default: https://bio.tawa.insureco.io) */
-    baseUrl?: string;
-    /** Internal API key for service-to-service auth (env: INTERNAL_API_KEY) */
-    internalKey?: string;
-    /** Async function returning a Bearer token (alternative to internalKey) */
-    accessTokenFn?: () => Promise<string>;
-    /** Number of retry attempts on transient failures (default: 2) */
-    retries?: number;
-    /** Request timeout in milliseconds (default: 10000) */
-    timeoutMs?: number;
-}
-/** Options for building an authorization URL */
-interface AuthorizeOptions {
-    /** Callback URL where Bio-ID redirects after authorization */
-    redirectUri: string;
-    /** OAuth scopes to request (default: ['openid', 'profile', 'email']) */
-    scopes?: string[];
-    /** CSRF state parameter (auto-generated if not provided) */
-    state?: string;
-}
-/** Result from getAuthorizationUrl() */
-interface AuthorizeResult {
-    /** Full authorization URL to redirect the user to */
-    url: string;
-    /** State parameter (for CSRF validation on callback) */
-    state: string;
-    /** PKCE code verifier (store securely, send during token exchange) */
-    codeVerifier: string;
-    /** PKCE code challenge (included in the URL) */
-    codeChallenge: string;
-}
-/** Response from the /api/oauth/token endpoint */
-interface TokenResponse {
-    access_token: string;
-    token_type: 'Bearer';
-    expires_in: number;
-    refresh_token?: string;
-    scope: string;
-    id_token?: string;
-}
-/** Response from the /api/auth/introspect endpoint */
-interface IntrospectResult {
-    active: boolean;
-    user?: {
-        id: string;
-        email: string;
-        name: string;
-        org: string;
-        roles: string[];
-    };
-    tokenType?: 'client_credentials';
-    clientId?: string;
-    scopes?: string[];
-    orgId?: string;
-    orgSlug?: string;
-    organizationName?: string;
-}
-/** Decoded access token payload (user auth) */
-interface BioTokenPayload {
-    iss: string;
-    sub: string;
-    aud: string;
-    exp: number;
-    iat: number;
-    bioId: string;
-    email: string;
-    name: string;
-    userType: string;
-    roles: string[];
-    permissions: string[];
-    orgId?: string;
-    orgSlug?: string;
-    client_id: string;
-    scope: string;
-    enabled_modules?: string[];
-    onboarding?: {
-        platform: boolean;
-        modules: Record<string, {
-            completed: string[];
-            due: string[];
-        }>;
-    };
-}
-/** Decoded client credentials token payload (service-to-service) */
-interface BioClientTokenPayload {
-    iss: string;
-    exp: number;
-    iat: number;
-    client_id: string;
-    scope: string;
-    token_type: 'client_credentials';
-    orgId?: string;
-    orgSlug?: string;
-}
-/** Options for local JWT verification (HS256) */
-interface VerifyOptions {
-    /** Expected issuer (default: config issuer) */
-    issuer?: string;
-    /** Expected audience (client_id) */
-    audience?: string;
-}
-/** Options for JWKS-based JWT verification (RS256) */
-interface JWKSVerifyOptions {
-    /** JWKS endpoint URL (default: https://bio.tawa.insureco.io/.well-known/jwks.json) */
-    jwksUri?: string;
-    /** Expected issuer — defaults to accepting both bio.insureco.io and bio.tawa.insureco.io */
-    issuer?: string;
-    /** Expected audience (client_id) */
-    audience?: string;
-}
-/** User profile from /api/oauth/userinfo or admin API */
-interface BioUser {
-    sub: string;
-    bioId: string;
-    email: string;
-    emailVerified: boolean;
-    name: string;
-    firstName?: string;
-    lastName?: string;
-    userType: string;
-    roles: string[];
-    permissions: string[];
-    status: string;
-    orgId?: string;
-    orgSlug?: string;
-    organizationId?: string;
-    organizationName?: string;
-    departmentId?: string;
-    departmentName?: string;
-    managerId?: string;
-    enabledModules?: string[];
-    jobTitle?: string;
-    phoneHome?: string;
-    phoneWork?: string;
-    phoneCell?: string;
-    phone?: string;
-    addressHome?: BioAddress;
-    addressWork?: BioAddress;
-    messaging?: BioMessaging;
-    preferences?: Record<string, unknown>;
-    lastLoginAt?: number;
-}
-interface BioAddress {
-    street?: string;
-    city?: string;
-    state?: string;
-    zip?: string;
-    country?: string;
-}
-interface BioMessaging {
-    slack?: string;
-    teams?: string;
-    skype?: string;
-    whatsapp?: string;
-}
-/** Filters for listing users */
-interface UserFilters {
-    search?: string;
-    status?: string;
-    userType?: string;
-    organizationId?: string;
-    page?: number;
-    limit?: number;
-}
-/** Data for updating a user */
-interface UpdateUserData {
-    firstName?: string;
-    lastName?: string;
-    displayName?: string;
-    roles?: string[];
-    status?: string;
-    userType?: string;
-    departmentId?: string;
-    jobTitle?: string;
-    permissions?: string[];
-    enabled_modules?: string[];
-}
-/** Department from admin API */
-interface BioDepartment {
-    id: string;
-    name: string;
-    description?: string;
-    organizationId: string;
-    headId?: string;
-    parentId?: string;
-    memberCount?: number;
-}
-/** Data for creating a department */
-interface CreateDepartmentData {
-    name: string;
-    description?: string;
-    headId?: string;
-    parentId?: string;
-}
-/** Role from admin API */
-interface BioRole {
-    id: string;
-    name: string;
-    description?: string;
-    permissions: string[];
-    isSystem?: boolean;
-}
-/** Data for creating a role */
-interface CreateRoleData {
-    name: string;
-    description?: string;
-    permissions: string[];
-}
-/** OAuth client from admin API */
-interface BioOAuthClient {
-    clientId: string;
-    name: string;
-    description?: string;
-    redirectUris: string[];
-    allowedScopes: string[];
-    allowedGrantTypes: string[];
-    isActive: boolean;
-    orgId?: string;
-    orgSlug?: string;
-    accessTokenTtl?: number;
-    refreshTokenTtl?: number;
-}
-/** Data for creating an OAuth client */
-interface CreateClientData {
-    name: string;
-    description?: string;
-    redirectUris: string[];
-    allowedScopes?: string[];
-    allowedGrantTypes?: string[];
-}
-/** Admin API response wrapper */
-interface AdminResponse<T> {
-    success: boolean;
-    data?: T;
-    error?: string;
-    meta?: {
-        total: number;
-        page: number;
-        limit: number;
-    };
-}
+import { B as BioAuthConfig, A as AuthorizeOptions, a as AuthorizeResult, T as TokenResponse, b as BioUser, I as IntrospectResult, c as BioAdminConfig, U as UserFilters, d as UpdateUserData, e as BioDepartment, C as CreateDepartmentData, f as BioRole, g as CreateRoleData, h as BioOAuthClient, i as CreateClientData, j as BioTokenPayload, V as VerifyOptions, J as JWKSVerifyOptions } from './types-Dkb-drHZ.js';
+export { k as AdminResponse, l as BioAddress, m as BioClientTokenPayload, n as BioMessaging, o as BioUsersConfig, O as OrgMember, p as OrgMemberFilters, q as OrgMembersResult } from './types-Dkb-drHZ.js';
 
 /**
  * OAuth flow client for Bio-ID SSO.
@@ -408,4 +154,4 @@ declare function isTokenExpired(token: string, bufferSeconds?: number): boolean;
  */
 declare function verifyTokenJWKS(token: string, options?: JWKSVerifyOptions): Promise<BioTokenPayload>;
 
-export { type AdminResponse, type AuthorizeOptions, type AuthorizeResult, type BioAddress, BioAdmin, type BioAdminConfig, BioAuth, type BioAuthConfig, type BioClientTokenPayload, type BioDepartment, BioError, type BioMessaging, type BioOAuthClient, type BioRole, type BioTokenPayload, type BioUser, type CreateClientData, type CreateDepartmentData, type CreateRoleData, type IntrospectResult, type JWKSVerifyOptions, type TokenResponse, type UpdateUserData, type UserFilters, type VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };
+export { AuthorizeOptions, AuthorizeResult, BioAdmin, BioAdminConfig, BioAuth, BioAuthConfig, BioDepartment, BioError, BioOAuthClient, BioRole, BioTokenPayload, BioUser, CreateClientData, CreateDepartmentData, CreateRoleData, IntrospectResult, JWKSVerifyOptions, TokenResponse, UpdateUserData, UserFilters, VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };

package/dist/index.js

@@ -90,7 +90,7 @@ async function parseJsonResponse(response) {
 }
 
 // src/auth.ts
-var DEFAULT_ISSUER = "https://bio.tawa.insureco.io";
+var DEFAULT_ISSUER = "https://bio.tawa.pro";
 var DEFAULT_SCOPES = ["openid", "profile", "email"];
 var DEFAULT_TIMEOUT_MS = 1e4;
 var BioAuth = class _BioAuth {
@@ -160,6 +160,9 @@ var BioAuth = class _BioAuth {
       code_challenge: codeChallenge,
       code_challenge_method: "S256"
     });
+    if (opts.organization) {
+      params.set("organization", opts.organization);
+    }
     return {
       url: `${this.issuer}/oauth/authorize?${params.toString()}`,
       state,
@@ -381,7 +384,7 @@ function mapIntrospectResponse(raw) {
 }
 
 // src/admin.ts
-var DEFAULT_BASE_URL = "https://bio.tawa.insureco.io";
+var DEFAULT_BASE_URL = "https://bio.tawa.pro";
 var DEFAULT_TIMEOUT_MS2 = 1e4;
 var BioAdmin = class _BioAdmin {
   baseUrl;
@@ -587,9 +590,10 @@ var import_node_crypto3 = __toESM(require("crypto"));
 var DEFAULT_ISSUERS = [
   "https://bio.insureco.io",
   "https://bio.tawa.insureco.io",
+  "https://bio.tawa.pro",
   "http://localhost:6100"
 ];
-var DEFAULT_JWKS_URI = "https://bio.tawa.insureco.io/.well-known/jwks.json";
+var DEFAULT_JWKS_URI = "https://bio.tawa.pro/.well-known/jwks.json";
 var JWKS_CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
 var jwksCache = /* @__PURE__ */ new Map();
 async function fetchJWKS(uri) {
@@ -706,7 +710,12 @@ async function verifyTokenJWKS(token, options) {
     throw new BioError("Malformed JWT: expected 3 parts", "invalid_token");
   }
   const [headerB64, payloadB64, signatureB64] = parts;
-  const header = JSON.parse(base64UrlDecode(headerB64));
+  let header;
+  try {
+    header = JSON.parse(base64UrlDecode(headerB64));
+  } catch {
+    throw new BioError("Malformed JWT: invalid header encoding", "invalid_token");
+  }
   if (header.alg !== "RS256") {
     throw new BioError(
       `Expected RS256 token, got ${header.alg}. Use verifyToken() for HS256.`,