@insureco/bio 0.2.0 → 0.4.0

package/dist/index.mjs

@@ -1,23 +1,13 @@
+import {
+  BioError,
+  parseJsonResponse,
+  retryDelay,
+  sleep
+} from "./chunk-NK5VXXWF.mjs";
+
 // src/auth.ts
 import crypto2 from "crypto";
 
-// src/errors.ts
-var BioError = class extends Error {
-  /** HTTP status code (if from an API response) */
-  statusCode;
-  /** Machine-readable error code (e.g. 'invalid_grant', 'token_expired') */
-  code;
-  /** Additional error details from the API */
-  details;
-  constructor(message, code, statusCode, details) {
-    super(message);
-    this.name = "BioError";
-    this.code = code;
-    this.statusCode = statusCode;
-    this.details = details;
-  }
-};
-
 // src/pkce.ts
 import crypto from "crypto";
 function generatePKCE() {
@@ -26,28 +16,8 @@ function generatePKCE() {
   return { codeVerifier, codeChallenge };
 }
 
-// src/utils.ts
-function retryDelay(attempt) {
-  const baseDelay = Math.min(1e3 * 2 ** attempt, 5e3);
-  return baseDelay * (0.5 + Math.random() * 0.5);
-}
-function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-async function parseJsonResponse(response) {
-  try {
-    return await response.json();
-  } catch {
-    throw new BioError(
-      `Bio-ID returned ${response.status} with non-JSON body`,
-      "parse_error",
-      response.status
-    );
-  }
-}
-
 // src/auth.ts
-var DEFAULT_ISSUER = "https://bio.tawa.insureco.io";
+var DEFAULT_ISSUER = "https://bio.tawa.pro";
 var DEFAULT_SCOPES = ["openid", "profile", "email"];
 var DEFAULT_TIMEOUT_MS = 1e4;
 var BioAuth = class _BioAuth {
@@ -117,6 +87,9 @@ var BioAuth = class _BioAuth {
       code_challenge: codeChallenge,
       code_challenge_method: "S256"
     });
+    if (opts.organization) {
+      params.set("organization", opts.organization);
+    }
     return {
       url: `${this.issuer}/oauth/authorize?${params.toString()}`,
       state,
@@ -338,7 +311,7 @@ function mapIntrospectResponse(raw) {
 }
 
 // src/admin.ts
-var DEFAULT_BASE_URL = "https://bio.tawa.insureco.io";
+var DEFAULT_BASE_URL = "https://bio.tawa.pro";
 var DEFAULT_TIMEOUT_MS2 = 1e4;
 var BioAdmin = class _BioAdmin {
   baseUrl;
@@ -544,9 +517,10 @@ import crypto3 from "crypto";
 var DEFAULT_ISSUERS = [
   "https://bio.insureco.io",
   "https://bio.tawa.insureco.io",
+  "https://bio.tawa.pro",
   "http://localhost:6100"
 ];
-var DEFAULT_JWKS_URI = "https://bio.tawa.insureco.io/.well-known/jwks.json";
+var DEFAULT_JWKS_URI = "https://bio.tawa.pro/.well-known/jwks.json";
 var JWKS_CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
 var jwksCache = /* @__PURE__ */ new Map();
 async function fetchJWKS(uri) {
@@ -663,7 +637,12 @@ async function verifyTokenJWKS(token, options) {
     throw new BioError("Malformed JWT: expected 3 parts", "invalid_token");
   }
   const [headerB64, payloadB64, signatureB64] = parts;
-  const header = JSON.parse(base64UrlDecode(headerB64));
+  let header;
+  try {
+    header = JSON.parse(base64UrlDecode(headerB64));
+  } catch {
+    throw new BioError("Malformed JWT: invalid header encoding", "invalid_token");
+  }
   if (header.alg !== "RS256") {
     throw new BioError(
       `Expected RS256 token, got ${header.alg}. Use verifyToken() for HS256.`,

package/dist/types-Dkb-drHZ.d.mts

@@ -0,0 +1,302 @@
+/** Configuration for BioAuth (OAuth flow client) */
+interface BioAuthConfig {
+    /** OAuth client ID (env: BIO_CLIENT_ID) */
+    clientId: string;
+    /** OAuth client secret (env: BIO_CLIENT_SECRET) */
+    clientSecret: string;
+    /** Bio-ID issuer URL (env: BIO_ID_URL, default: https://bio.tawa.pro) */
+    issuer?: string;
+    /** Number of retry attempts on transient failures (default: 2) */
+    retries?: number;
+    /** Request timeout in milliseconds (default: 10000) */
+    timeoutMs?: number;
+}
+/** Configuration for BioAdmin (admin API client) */
+interface BioAdminConfig {
+    /** Bio-ID base URL (env: BIO_ID_URL, default: https://bio.tawa.pro) */
+    baseUrl?: string;
+    /** Internal API key for service-to-service auth (env: INTERNAL_API_KEY) */
+    internalKey?: string;
+    /** Async function returning a Bearer token (alternative to internalKey) */
+    accessTokenFn?: () => Promise<string>;
+    /** Number of retry attempts on transient failures (default: 2) */
+    retries?: number;
+    /** Request timeout in milliseconds (default: 10000) */
+    timeoutMs?: number;
+}
+/** Options for building an authorization URL */
+interface AuthorizeOptions {
+    /** Callback URL where Bio-ID redirects after authorization */
+    redirectUri: string;
+    /** OAuth scopes to request (default: ['openid', 'profile', 'email']) */
+    scopes?: string[];
+    /** CSRF state parameter (auto-generated if not provided) */
+    state?: string;
+    /** Optional org slug to pre-select during authorization (for multi-org users) */
+    organization?: string;
+}
+/** Result from getAuthorizationUrl() */
+interface AuthorizeResult {
+    /** Full authorization URL to redirect the user to */
+    url: string;
+    /** State parameter (for CSRF validation on callback) */
+    state: string;
+    /** PKCE code verifier (store securely, send during token exchange) */
+    codeVerifier: string;
+    /** PKCE code challenge (included in the URL) */
+    codeChallenge: string;
+}
+/** Response from the /api/oauth/token endpoint */
+interface TokenResponse {
+    access_token: string;
+    token_type: 'Bearer';
+    expires_in: number;
+    refresh_token?: string;
+    scope: string;
+    id_token?: string;
+}
+/** Response from the /api/auth/introspect endpoint */
+interface IntrospectResult {
+    active: boolean;
+    user?: {
+        id: string;
+        email: string;
+        name: string;
+        org: string;
+        roles: string[];
+    };
+    tokenType?: 'client_credentials';
+    clientId?: string;
+    scopes?: string[];
+    orgId?: string;
+    orgSlug?: string;
+    organizationName?: string;
+}
+/** Decoded access token payload (user auth) */
+interface BioTokenPayload {
+    iss: string;
+    sub: string;
+    aud: string;
+    exp: number;
+    iat: number;
+    bioId: string;
+    email: string;
+    name: string;
+    userType: string;
+    roles: string[];
+    permissions: string[];
+    orgId?: string;
+    orgSlug?: string;
+    /** Org-specific role slugs within the user's active org (from OrgMembership) */
+    orgRoles?: string[];
+    /** Job title at the active org (from OrgMembership.jobTitle) */
+    orgTitle?: string;
+    /** Additional modules granted by the org specifically (from OrgMembership.enabled_modules) */
+    orgModules?: string[];
+    client_id: string;
+    scope: string;
+    enabled_modules?: string[];
+    onboarding?: {
+        platform: boolean;
+        modules: Record<string, {
+            completed: string[];
+            due: string[];
+        }>;
+    };
+}
+/** Decoded client credentials token payload (service-to-service) */
+interface BioClientTokenPayload {
+    iss: string;
+    exp: number;
+    iat: number;
+    client_id: string;
+    scope: string;
+    token_type: 'client_credentials';
+    orgId?: string;
+    orgSlug?: string;
+}
+/** Options for local JWT verification (HS256) */
+interface VerifyOptions {
+    /** Expected issuer (default: config issuer) */
+    issuer?: string;
+    /** Expected audience (client_id) */
+    audience?: string;
+}
+/** Options for JWKS-based JWT verification (RS256) */
+interface JWKSVerifyOptions {
+    /** JWKS endpoint URL (default: https://bio.tawa.pro/.well-known/jwks.json) */
+    jwksUri?: string;
+    /** Expected issuer — defaults to accepting bio.insureco.io, bio.tawa.insureco.io, and bio.tawa.pro */
+    issuer?: string;
+    /** Expected audience (client_id) */
+    audience?: string;
+}
+/** User profile from /api/oauth/userinfo or admin API */
+interface BioUser {
+    sub: string;
+    bioId: string;
+    email: string;
+    emailVerified: boolean;
+    name: string;
+    firstName?: string;
+    lastName?: string;
+    userType: string;
+    roles: string[];
+    permissions: string[];
+    status: string;
+    orgId?: string;
+    orgSlug?: string;
+    organizationId?: string;
+    organizationName?: string;
+    departmentId?: string;
+    departmentName?: string;
+    managerId?: string;
+    enabledModules?: string[];
+    jobTitle?: string;
+    phoneHome?: string;
+    phoneWork?: string;
+    phoneCell?: string;
+    phone?: string;
+    addressHome?: BioAddress;
+    addressWork?: BioAddress;
+    messaging?: BioMessaging;
+    preferences?: Record<string, unknown>;
+    lastLoginAt?: number;
+}
+interface BioAddress {
+    street?: string;
+    city?: string;
+    state?: string;
+    zip?: string;
+    country?: string;
+}
+interface BioMessaging {
+    slack?: string;
+    teams?: string;
+    skype?: string;
+    whatsapp?: string;
+}
+/** Filters for listing users */
+interface UserFilters {
+    search?: string;
+    status?: string;
+    userType?: string;
+    organizationId?: string;
+    page?: number;
+    limit?: number;
+}
+/** Data for updating a user */
+interface UpdateUserData {
+    firstName?: string;
+    lastName?: string;
+    displayName?: string;
+    roles?: string[];
+    status?: string;
+    userType?: string;
+    departmentId?: string;
+    jobTitle?: string;
+    permissions?: string[];
+    enabled_modules?: string[];
+}
+/** Department from admin API */
+interface BioDepartment {
+    id: string;
+    name: string;
+    description?: string;
+    organizationId: string;
+    headId?: string;
+    parentId?: string;
+    memberCount?: number;
+}
+/** Data for creating a department */
+interface CreateDepartmentData {
+    name: string;
+    description?: string;
+    headId?: string;
+    parentId?: string;
+}
+/** Role from admin API */
+interface BioRole {
+    id: string;
+    name: string;
+    description?: string;
+    permissions: string[];
+    isSystem?: boolean;
+}
+/** Data for creating a role */
+interface CreateRoleData {
+    name: string;
+    description?: string;
+    permissions: string[];
+}
+/** OAuth client from admin API */
+interface BioOAuthClient {
+    clientId: string;
+    name: string;
+    description?: string;
+    redirectUris: string[];
+    allowedScopes: string[];
+    allowedGrantTypes: string[];
+    isActive: boolean;
+    orgId?: string;
+    orgSlug?: string;
+    accessTokenTtl?: number;
+    refreshTokenTtl?: number;
+}
+/** Data for creating an OAuth client */
+interface CreateClientData {
+    name: string;
+    description?: string;
+    redirectUris: string[];
+    allowedScopes?: string[];
+    allowedGrantTypes?: string[];
+}
+/** Configuration for BioUsers client */
+interface BioUsersConfig {
+    /** Bio users URL (env: BIO_USERS_URL) */
+    usersUrl: string;
+    /** Service API key (env: BIO_SERVICE_KEY) */
+    serviceKey: string;
+    /** Request timeout in milliseconds (default: 10000) */
+    timeoutMs?: number;
+}
+/** Filters for querying org members via /api/v2/users or /api/orgs/[slug]/members */
+interface OrgMemberFilters {
+    /** Only return members with these modules enabled */
+    modules?: string[];
+    /** Only return members with these roles */
+    roles?: string[];
+    /** Max results (default: 50) */
+    limit?: number;
+    /** Page number for pagination (default: 1) */
+    page?: number;
+}
+/** A member as returned by GET /api/v2/users or GET /api/orgs/[slug]/members */
+interface OrgMember {
+    bioId: string;
+    email: string;
+    name: string;
+    jobTitle?: string;
+    enabled_modules: string[];
+    roles?: string[];
+}
+/** Paginated response from the user access endpoints */
+interface OrgMembersResult {
+    members: OrgMember[];
+    total: number;
+    page: number;
+    limit: number;
+}
+/** Admin API response wrapper */
+interface AdminResponse<T> {
+    success: boolean;
+    data?: T;
+    error?: string;
+    meta?: {
+        total: number;
+        page: number;
+        limit: number;
+    };
+}
+
+export type { AuthorizeOptions as A, BioAuthConfig as B, CreateDepartmentData as C, IntrospectResult as I, JWKSVerifyOptions as J, OrgMember as O, TokenResponse as T, UserFilters as U, VerifyOptions as V, AuthorizeResult as a, BioUser as b, BioAdminConfig as c, UpdateUserData as d, BioDepartment as e, BioRole as f, CreateRoleData as g, BioOAuthClient as h, CreateClientData as i, BioTokenPayload as j, AdminResponse as k, BioAddress as l, BioClientTokenPayload as m, BioMessaging as n, BioUsersConfig as o, OrgMemberFilters as p, OrgMembersResult as q };

package/dist/types-Dkb-drHZ.d.ts

@@ -0,0 +1,302 @@
+/** Configuration for BioAuth (OAuth flow client) */
+interface BioAuthConfig {
+    /** OAuth client ID (env: BIO_CLIENT_ID) */
+    clientId: string;
+    /** OAuth client secret (env: BIO_CLIENT_SECRET) */
+    clientSecret: string;
+    /** Bio-ID issuer URL (env: BIO_ID_URL, default: https://bio.tawa.pro) */
+    issuer?: string;
+    /** Number of retry attempts on transient failures (default: 2) */
+    retries?: number;
+    /** Request timeout in milliseconds (default: 10000) */
+    timeoutMs?: number;
+}
+/** Configuration for BioAdmin (admin API client) */
+interface BioAdminConfig {
+    /** Bio-ID base URL (env: BIO_ID_URL, default: https://bio.tawa.pro) */
+    baseUrl?: string;
+    /** Internal API key for service-to-service auth (env: INTERNAL_API_KEY) */
+    internalKey?: string;
+    /** Async function returning a Bearer token (alternative to internalKey) */
+    accessTokenFn?: () => Promise<string>;
+    /** Number of retry attempts on transient failures (default: 2) */
+    retries?: number;
+    /** Request timeout in milliseconds (default: 10000) */
+    timeoutMs?: number;
+}
+/** Options for building an authorization URL */
+interface AuthorizeOptions {
+    /** Callback URL where Bio-ID redirects after authorization */
+    redirectUri: string;
+    /** OAuth scopes to request (default: ['openid', 'profile', 'email']) */
+    scopes?: string[];
+    /** CSRF state parameter (auto-generated if not provided) */
+    state?: string;
+    /** Optional org slug to pre-select during authorization (for multi-org users) */
+    organization?: string;
+}
+/** Result from getAuthorizationUrl() */
+interface AuthorizeResult {
+    /** Full authorization URL to redirect the user to */
+    url: string;
+    /** State parameter (for CSRF validation on callback) */
+    state: string;
+    /** PKCE code verifier (store securely, send during token exchange) */
+    codeVerifier: string;
+    /** PKCE code challenge (included in the URL) */
+    codeChallenge: string;
+}
+/** Response from the /api/oauth/token endpoint */
+interface TokenResponse {
+    access_token: string;
+    token_type: 'Bearer';
+    expires_in: number;
+    refresh_token?: string;
+    scope: string;
+    id_token?: string;
+}
+/** Response from the /api/auth/introspect endpoint */
+interface IntrospectResult {
+    active: boolean;
+    user?: {
+        id: string;
+        email: string;
+        name: string;
+        org: string;
+        roles: string[];
+    };
+    tokenType?: 'client_credentials';
+    clientId?: string;
+    scopes?: string[];
+    orgId?: string;
+    orgSlug?: string;
+    organizationName?: string;
+}
+/** Decoded access token payload (user auth) */
+interface BioTokenPayload {
+    iss: string;
+    sub: string;
+    aud: string;
+    exp: number;
+    iat: number;
+    bioId: string;
+    email: string;
+    name: string;
+    userType: string;
+    roles: string[];
+    permissions: string[];
+    orgId?: string;
+    orgSlug?: string;
+    /** Org-specific role slugs within the user's active org (from OrgMembership) */
+    orgRoles?: string[];
+    /** Job title at the active org (from OrgMembership.jobTitle) */
+    orgTitle?: string;
+    /** Additional modules granted by the org specifically (from OrgMembership.enabled_modules) */
+    orgModules?: string[];
+    client_id: string;
+    scope: string;
+    enabled_modules?: string[];
+    onboarding?: {
+        platform: boolean;
+        modules: Record<string, {
+            completed: string[];
+            due: string[];
+        }>;
+    };
+}
+/** Decoded client credentials token payload (service-to-service) */
+interface BioClientTokenPayload {
+    iss: string;
+    exp: number;
+    iat: number;
+    client_id: string;
+    scope: string;
+    token_type: 'client_credentials';
+    orgId?: string;
+    orgSlug?: string;
+}
+/** Options for local JWT verification (HS256) */
+interface VerifyOptions {
+    /** Expected issuer (default: config issuer) */
+    issuer?: string;
+    /** Expected audience (client_id) */
+    audience?: string;
+}
+/** Options for JWKS-based JWT verification (RS256) */
+interface JWKSVerifyOptions {
+    /** JWKS endpoint URL (default: https://bio.tawa.pro/.well-known/jwks.json) */
+    jwksUri?: string;
+    /** Expected issuer — defaults to accepting bio.insureco.io, bio.tawa.insureco.io, and bio.tawa.pro */
+    issuer?: string;
+    /** Expected audience (client_id) */
+    audience?: string;
+}
+/** User profile from /api/oauth/userinfo or admin API */
+interface BioUser {
+    sub: string;
+    bioId: string;
+    email: string;
+    emailVerified: boolean;
+    name: string;
+    firstName?: string;
+    lastName?: string;
+    userType: string;
+    roles: string[];
+    permissions: string[];
+    status: string;
+    orgId?: string;
+    orgSlug?: string;
+    organizationId?: string;
+    organizationName?: string;
+    departmentId?: string;
+    departmentName?: string;
+    managerId?: string;
+    enabledModules?: string[];
+    jobTitle?: string;
+    phoneHome?: string;
+    phoneWork?: string;
+    phoneCell?: string;
+    phone?: string;
+    addressHome?: BioAddress;
+    addressWork?: BioAddress;
+    messaging?: BioMessaging;
+    preferences?: Record<string, unknown>;
+    lastLoginAt?: number;
+}
+interface BioAddress {
+    street?: string;
+    city?: string;
+    state?: string;
+    zip?: string;
+    country?: string;
+}
+interface BioMessaging {
+    slack?: string;
+    teams?: string;
+    skype?: string;
+    whatsapp?: string;
+}
+/** Filters for listing users */
+interface UserFilters {
+    search?: string;
+    status?: string;
+    userType?: string;
+    organizationId?: string;
+    page?: number;
+    limit?: number;
+}
+/** Data for updating a user */
+interface UpdateUserData {
+    firstName?: string;
+    lastName?: string;
+    displayName?: string;
+    roles?: string[];
+    status?: string;
+    userType?: string;
+    departmentId?: string;
+    jobTitle?: string;
+    permissions?: string[];
+    enabled_modules?: string[];
+}
+/** Department from admin API */
+interface BioDepartment {
+    id: string;
+    name: string;
+    description?: string;
+    organizationId: string;
+    headId?: string;
+    parentId?: string;
+    memberCount?: number;
+}
+/** Data for creating a department */
+interface CreateDepartmentData {
+    name: string;
+    description?: string;
+    headId?: string;
+    parentId?: string;
+}
+/** Role from admin API */
+interface BioRole {
+    id: string;
+    name: string;
+    description?: string;
+    permissions: string[];
+    isSystem?: boolean;
+}
+/** Data for creating a role */
+interface CreateRoleData {
+    name: string;
+    description?: string;
+    permissions: string[];
+}
+/** OAuth client from admin API */
+interface BioOAuthClient {
+    clientId: string;
+    name: string;
+    description?: string;
+    redirectUris: string[];
+    allowedScopes: string[];
+    allowedGrantTypes: string[];
+    isActive: boolean;
+    orgId?: string;
+    orgSlug?: string;
+    accessTokenTtl?: number;
+    refreshTokenTtl?: number;
+}
+/** Data for creating an OAuth client */
+interface CreateClientData {
+    name: string;
+    description?: string;
+    redirectUris: string[];
+    allowedScopes?: string[];
+    allowedGrantTypes?: string[];
+}
+/** Configuration for BioUsers client */
+interface BioUsersConfig {
+    /** Bio users URL (env: BIO_USERS_URL) */
+    usersUrl: string;
+    /** Service API key (env: BIO_SERVICE_KEY) */
+    serviceKey: string;
+    /** Request timeout in milliseconds (default: 10000) */
+    timeoutMs?: number;
+}
+/** Filters for querying org members via /api/v2/users or /api/orgs/[slug]/members */
+interface OrgMemberFilters {
+    /** Only return members with these modules enabled */
+    modules?: string[];
+    /** Only return members with these roles */
+    roles?: string[];
+    /** Max results (default: 50) */
+    limit?: number;
+    /** Page number for pagination (default: 1) */
+    page?: number;
+}
+/** A member as returned by GET /api/v2/users or GET /api/orgs/[slug]/members */
+interface OrgMember {
+    bioId: string;
+    email: string;
+    name: string;
+    jobTitle?: string;
+    enabled_modules: string[];
+    roles?: string[];
+}
+/** Paginated response from the user access endpoints */
+interface OrgMembersResult {
+    members: OrgMember[];
+    total: number;
+    page: number;
+    limit: number;
+}
+/** Admin API response wrapper */
+interface AdminResponse<T> {
+    success: boolean;
+    data?: T;
+    error?: string;
+    meta?: {
+        total: number;
+        page: number;
+        limit: number;
+    };
+}
+
+export type { AuthorizeOptions as A, BioAuthConfig as B, CreateDepartmentData as C, IntrospectResult as I, JWKSVerifyOptions as J, OrgMember as O, TokenResponse as T, UserFilters as U, VerifyOptions as V, AuthorizeResult as a, BioUser as b, BioAdminConfig as c, UpdateUserData as d, BioDepartment as e, BioRole as f, CreateRoleData as g, BioOAuthClient as h, CreateClientData as i, BioTokenPayload as j, AdminResponse as k, BioAddress as l, BioClientTokenPayload as m, BioMessaging as n, BioUsersConfig as o, OrgMemberFilters as p, OrgMembersResult as q };