@insureco/bio 0.3.0 → 0.4.0

package/dist/chunk-NK5VXXWF.mjs

@@ -0,0 +1,43 @@
+// src/errors.ts
+var BioError = class extends Error {
+  /** HTTP status code (if from an API response) */
+  statusCode;
+  /** Machine-readable error code (e.g. 'invalid_grant', 'token_expired') */
+  code;
+  /** Additional error details from the API */
+  details;
+  constructor(message, code, statusCode, details) {
+    super(message);
+    this.name = "BioError";
+    this.code = code;
+    this.statusCode = statusCode;
+    this.details = details;
+  }
+};
+
+// src/utils.ts
+function retryDelay(attempt) {
+  const baseDelay = Math.min(1e3 * 2 ** attempt, 5e3);
+  return baseDelay * (0.5 + Math.random() * 0.5);
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function parseJsonResponse(response) {
+  try {
+    return await response.json();
+  } catch {
+    throw new BioError(
+      `Bio-ID returned ${response.status} with non-JSON body`,
+      "parse_error",
+      response.status
+    );
+  }
+}
+
+export {
+  BioError,
+  retryDelay,
+  sleep,
+  parseJsonResponse
+};

package/dist/index.d.mts

@@ -1,267 +1,5 @@
-/** Configuration for BioAuth (OAuth flow client) */
-interface BioAuthConfig {
-    /** OAuth client ID (env: BIO_CLIENT_ID) */
-    clientId: string;
-    /** OAuth client secret (env: BIO_CLIENT_SECRET) */
-    clientSecret: string;
-    /** Bio-ID issuer URL (env: BIO_ID_URL, default: https://bio.tawa.pro) */
-    issuer?: string;
-    /** Number of retry attempts on transient failures (default: 2) */
-    retries?: number;
-    /** Request timeout in milliseconds (default: 10000) */
-    timeoutMs?: number;
-}
-/** Configuration for BioAdmin (admin API client) */
-interface BioAdminConfig {
-    /** Bio-ID base URL (env: BIO_ID_URL, default: https://bio.tawa.pro) */
-    baseUrl?: string;
-    /** Internal API key for service-to-service auth (env: INTERNAL_API_KEY) */
-    internalKey?: string;
-    /** Async function returning a Bearer token (alternative to internalKey) */
-    accessTokenFn?: () => Promise<string>;
-    /** Number of retry attempts on transient failures (default: 2) */
-    retries?: number;
-    /** Request timeout in milliseconds (default: 10000) */
-    timeoutMs?: number;
-}
-/** Options for building an authorization URL */
-interface AuthorizeOptions {
-    /** Callback URL where Bio-ID redirects after authorization */
-    redirectUri: string;
-    /** OAuth scopes to request (default: ['openid', 'profile', 'email']) */
-    scopes?: string[];
-    /** CSRF state parameter (auto-generated if not provided) */
-    state?: string;
-    /** Optional org slug to pre-select during authorization (for multi-org users) */
-    organization?: string;
-}
-/** Result from getAuthorizationUrl() */
-interface AuthorizeResult {
-    /** Full authorization URL to redirect the user to */
-    url: string;
-    /** State parameter (for CSRF validation on callback) */
-    state: string;
-    /** PKCE code verifier (store securely, send during token exchange) */
-    codeVerifier: string;
-    /** PKCE code challenge (included in the URL) */
-    codeChallenge: string;
-}
-/** Response from the /api/oauth/token endpoint */
-interface TokenResponse {
-    access_token: string;
-    token_type: 'Bearer';
-    expires_in: number;
-    refresh_token?: string;
-    scope: string;
-    id_token?: string;
-}
-/** Response from the /api/auth/introspect endpoint */
-interface IntrospectResult {
-    active: boolean;
-    user?: {
-        id: string;
-        email: string;
-        name: string;
-        org: string;
-        roles: string[];
-    };
-    tokenType?: 'client_credentials';
-    clientId?: string;
-    scopes?: string[];
-    orgId?: string;
-    orgSlug?: string;
-    organizationName?: string;
-}
-/** Decoded access token payload (user auth) */
-interface BioTokenPayload {
-    iss: string;
-    sub: string;
-    aud: string;
-    exp: number;
-    iat: number;
-    bioId: string;
-    email: string;
-    name: string;
-    userType: string;
-    roles: string[];
-    permissions: string[];
-    orgId?: string;
-    orgSlug?: string;
-    /** Org-specific role slugs within the user's active org (from OrgMembership) */
-    orgRoles?: string[];
-    /** Job title at the active org (from OrgMembership.jobTitle) */
-    orgTitle?: string;
-    /** Additional modules granted by the org specifically (from OrgMembership.enabled_modules) */
-    orgModules?: string[];
-    client_id: string;
-    scope: string;
-    enabled_modules?: string[];
-    onboarding?: {
-        platform: boolean;
-        modules: Record<string, {
-            completed: string[];
-            due: string[];
-        }>;
-    };
-}
-/** Decoded client credentials token payload (service-to-service) */
-interface BioClientTokenPayload {
-    iss: string;
-    exp: number;
-    iat: number;
-    client_id: string;
-    scope: string;
-    token_type: 'client_credentials';
-    orgId?: string;
-    orgSlug?: string;
-}
-/** Options for local JWT verification (HS256) */
-interface VerifyOptions {
-    /** Expected issuer (default: config issuer) */
-    issuer?: string;
-    /** Expected audience (client_id) */
-    audience?: string;
-}
-/** Options for JWKS-based JWT verification (RS256) */
-interface JWKSVerifyOptions {
-    /** JWKS endpoint URL (default: https://bio.tawa.pro/.well-known/jwks.json) */
-    jwksUri?: string;
-    /** Expected issuer — defaults to accepting bio.insureco.io, bio.tawa.insureco.io, and bio.tawa.pro */
-    issuer?: string;
-    /** Expected audience (client_id) */
-    audience?: string;
-}
-/** User profile from /api/oauth/userinfo or admin API */
-interface BioUser {
-    sub: string;
-    bioId: string;
-    email: string;
-    emailVerified: boolean;
-    name: string;
-    firstName?: string;
-    lastName?: string;
-    userType: string;
-    roles: string[];
-    permissions: string[];
-    status: string;
-    orgId?: string;
-    orgSlug?: string;
-    organizationId?: string;
-    organizationName?: string;
-    departmentId?: string;
-    departmentName?: string;
-    managerId?: string;
-    enabledModules?: string[];
-    jobTitle?: string;
-    phoneHome?: string;
-    phoneWork?: string;
-    phoneCell?: string;
-    phone?: string;
-    addressHome?: BioAddress;
-    addressWork?: BioAddress;
-    messaging?: BioMessaging;
-    preferences?: Record<string, unknown>;
-    lastLoginAt?: number;
-}
-interface BioAddress {
-    street?: string;
-    city?: string;
-    state?: string;
-    zip?: string;
-    country?: string;
-}
-interface BioMessaging {
-    slack?: string;
-    teams?: string;
-    skype?: string;
-    whatsapp?: string;
-}
-/** Filters for listing users */
-interface UserFilters {
-    search?: string;
-    status?: string;
-    userType?: string;
-    organizationId?: string;
-    page?: number;
-    limit?: number;
-}
-/** Data for updating a user */
-interface UpdateUserData {
-    firstName?: string;
-    lastName?: string;
-    displayName?: string;
-    roles?: string[];
-    status?: string;
-    userType?: string;
-    departmentId?: string;
-    jobTitle?: string;
-    permissions?: string[];
-    enabled_modules?: string[];
-}
-/** Department from admin API */
-interface BioDepartment {
-    id: string;
-    name: string;
-    description?: string;
-    organizationId: string;
-    headId?: string;
-    parentId?: string;
-    memberCount?: number;
-}
-/** Data for creating a department */
-interface CreateDepartmentData {
-    name: string;
-    description?: string;
-    headId?: string;
-    parentId?: string;
-}
-/** Role from admin API */
-interface BioRole {
-    id: string;
-    name: string;
-    description?: string;
-    permissions: string[];
-    isSystem?: boolean;
-}
-/** Data for creating a role */
-interface CreateRoleData {
-    name: string;
-    description?: string;
-    permissions: string[];
-}
-/** OAuth client from admin API */
-interface BioOAuthClient {
-    clientId: string;
-    name: string;
-    description?: string;
-    redirectUris: string[];
-    allowedScopes: string[];
-    allowedGrantTypes: string[];
-    isActive: boolean;
-    orgId?: string;
-    orgSlug?: string;
-    accessTokenTtl?: number;
-    refreshTokenTtl?: number;
-}
-/** Data for creating an OAuth client */
-interface CreateClientData {
-    name: string;
-    description?: string;
-    redirectUris: string[];
-    allowedScopes?: string[];
-    allowedGrantTypes?: string[];
-}
-/** Admin API response wrapper */
-interface AdminResponse<T> {
-    success: boolean;
-    data?: T;
-    error?: string;
-    meta?: {
-        total: number;
-        page: number;
-        limit: number;
-    };
-}
+import { B as BioAuthConfig, A as AuthorizeOptions, a as AuthorizeResult, T as TokenResponse, b as BioUser, I as IntrospectResult, c as BioAdminConfig, U as UserFilters, d as UpdateUserData, e as BioDepartment, C as CreateDepartmentData, f as BioRole, g as CreateRoleData, h as BioOAuthClient, i as CreateClientData, j as BioTokenPayload, V as VerifyOptions, J as JWKSVerifyOptions } from './types-Dkb-drHZ.mjs';
+export { k as AdminResponse, l as BioAddress, m as BioClientTokenPayload, n as BioMessaging, o as BioUsersConfig, O as OrgMember, p as OrgMemberFilters, q as OrgMembersResult } from './types-Dkb-drHZ.mjs';
 
 /**
  * OAuth flow client for Bio-ID SSO.
@@ -416,4 +154,4 @@ declare function isTokenExpired(token: string, bufferSeconds?: number): boolean;
  */
 declare function verifyTokenJWKS(token: string, options?: JWKSVerifyOptions): Promise<BioTokenPayload>;
 
-export { type AdminResponse, type AuthorizeOptions, type AuthorizeResult, type BioAddress, BioAdmin, type BioAdminConfig, BioAuth, type BioAuthConfig, type BioClientTokenPayload, type BioDepartment, BioError, type BioMessaging, type BioOAuthClient, type BioRole, type BioTokenPayload, type BioUser, type CreateClientData, type CreateDepartmentData, type CreateRoleData, type IntrospectResult, type JWKSVerifyOptions, type TokenResponse, type UpdateUserData, type UserFilters, type VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };
+export { AuthorizeOptions, AuthorizeResult, BioAdmin, BioAdminConfig, BioAuth, BioAuthConfig, BioDepartment, BioError, BioOAuthClient, BioRole, BioTokenPayload, BioUser, CreateClientData, CreateDepartmentData, CreateRoleData, IntrospectResult, JWKSVerifyOptions, TokenResponse, UpdateUserData, UserFilters, VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };

package/dist/index.d.ts

@@ -1,267 +1,5 @@
-/** Configuration for BioAuth (OAuth flow client) */
-interface BioAuthConfig {
-    /** OAuth client ID (env: BIO_CLIENT_ID) */
-    clientId: string;
-    /** OAuth client secret (env: BIO_CLIENT_SECRET) */
-    clientSecret: string;
-    /** Bio-ID issuer URL (env: BIO_ID_URL, default: https://bio.tawa.pro) */
-    issuer?: string;
-    /** Number of retry attempts on transient failures (default: 2) */
-    retries?: number;
-    /** Request timeout in milliseconds (default: 10000) */
-    timeoutMs?: number;
-}
-/** Configuration for BioAdmin (admin API client) */
-interface BioAdminConfig {
-    /** Bio-ID base URL (env: BIO_ID_URL, default: https://bio.tawa.pro) */
-    baseUrl?: string;
-    /** Internal API key for service-to-service auth (env: INTERNAL_API_KEY) */
-    internalKey?: string;
-    /** Async function returning a Bearer token (alternative to internalKey) */
-    accessTokenFn?: () => Promise<string>;
-    /** Number of retry attempts on transient failures (default: 2) */
-    retries?: number;
-    /** Request timeout in milliseconds (default: 10000) */
-    timeoutMs?: number;
-}
-/** Options for building an authorization URL */
-interface AuthorizeOptions {
-    /** Callback URL where Bio-ID redirects after authorization */
-    redirectUri: string;
-    /** OAuth scopes to request (default: ['openid', 'profile', 'email']) */
-    scopes?: string[];
-    /** CSRF state parameter (auto-generated if not provided) */
-    state?: string;
-    /** Optional org slug to pre-select during authorization (for multi-org users) */
-    organization?: string;
-}
-/** Result from getAuthorizationUrl() */
-interface AuthorizeResult {
-    /** Full authorization URL to redirect the user to */
-    url: string;
-    /** State parameter (for CSRF validation on callback) */
-    state: string;
-    /** PKCE code verifier (store securely, send during token exchange) */
-    codeVerifier: string;
-    /** PKCE code challenge (included in the URL) */
-    codeChallenge: string;
-}
-/** Response from the /api/oauth/token endpoint */
-interface TokenResponse {
-    access_token: string;
-    token_type: 'Bearer';
-    expires_in: number;
-    refresh_token?: string;
-    scope: string;
-    id_token?: string;
-}
-/** Response from the /api/auth/introspect endpoint */
-interface IntrospectResult {
-    active: boolean;
-    user?: {
-        id: string;
-        email: string;
-        name: string;
-        org: string;
-        roles: string[];
-    };
-    tokenType?: 'client_credentials';
-    clientId?: string;
-    scopes?: string[];
-    orgId?: string;
-    orgSlug?: string;
-    organizationName?: string;
-}
-/** Decoded access token payload (user auth) */
-interface BioTokenPayload {
-    iss: string;
-    sub: string;
-    aud: string;
-    exp: number;
-    iat: number;
-    bioId: string;
-    email: string;
-    name: string;
-    userType: string;
-    roles: string[];
-    permissions: string[];
-    orgId?: string;
-    orgSlug?: string;
-    /** Org-specific role slugs within the user's active org (from OrgMembership) */
-    orgRoles?: string[];
-    /** Job title at the active org (from OrgMembership.jobTitle) */
-    orgTitle?: string;
-    /** Additional modules granted by the org specifically (from OrgMembership.enabled_modules) */
-    orgModules?: string[];
-    client_id: string;
-    scope: string;
-    enabled_modules?: string[];
-    onboarding?: {
-        platform: boolean;
-        modules: Record<string, {
-            completed: string[];
-            due: string[];
-        }>;
-    };
-}
-/** Decoded client credentials token payload (service-to-service) */
-interface BioClientTokenPayload {
-    iss: string;
-    exp: number;
-    iat: number;
-    client_id: string;
-    scope: string;
-    token_type: 'client_credentials';
-    orgId?: string;
-    orgSlug?: string;
-}
-/** Options for local JWT verification (HS256) */
-interface VerifyOptions {
-    /** Expected issuer (default: config issuer) */
-    issuer?: string;
-    /** Expected audience (client_id) */
-    audience?: string;
-}
-/** Options for JWKS-based JWT verification (RS256) */
-interface JWKSVerifyOptions {
-    /** JWKS endpoint URL (default: https://bio.tawa.pro/.well-known/jwks.json) */
-    jwksUri?: string;
-    /** Expected issuer — defaults to accepting bio.insureco.io, bio.tawa.insureco.io, and bio.tawa.pro */
-    issuer?: string;
-    /** Expected audience (client_id) */
-    audience?: string;
-}
-/** User profile from /api/oauth/userinfo or admin API */
-interface BioUser {
-    sub: string;
-    bioId: string;
-    email: string;
-    emailVerified: boolean;
-    name: string;
-    firstName?: string;
-    lastName?: string;
-    userType: string;
-    roles: string[];
-    permissions: string[];
-    status: string;
-    orgId?: string;
-    orgSlug?: string;
-    organizationId?: string;
-    organizationName?: string;
-    departmentId?: string;
-    departmentName?: string;
-    managerId?: string;
-    enabledModules?: string[];
-    jobTitle?: string;
-    phoneHome?: string;
-    phoneWork?: string;
-    phoneCell?: string;
-    phone?: string;
-    addressHome?: BioAddress;
-    addressWork?: BioAddress;
-    messaging?: BioMessaging;
-    preferences?: Record<string, unknown>;
-    lastLoginAt?: number;
-}
-interface BioAddress {
-    street?: string;
-    city?: string;
-    state?: string;
-    zip?: string;
-    country?: string;
-}
-interface BioMessaging {
-    slack?: string;
-    teams?: string;
-    skype?: string;
-    whatsapp?: string;
-}
-/** Filters for listing users */
-interface UserFilters {
-    search?: string;
-    status?: string;
-    userType?: string;
-    organizationId?: string;
-    page?: number;
-    limit?: number;
-}
-/** Data for updating a user */
-interface UpdateUserData {
-    firstName?: string;
-    lastName?: string;
-    displayName?: string;
-    roles?: string[];
-    status?: string;
-    userType?: string;
-    departmentId?: string;
-    jobTitle?: string;
-    permissions?: string[];
-    enabled_modules?: string[];
-}
-/** Department from admin API */
-interface BioDepartment {
-    id: string;
-    name: string;
-    description?: string;
-    organizationId: string;
-    headId?: string;
-    parentId?: string;
-    memberCount?: number;
-}
-/** Data for creating a department */
-interface CreateDepartmentData {
-    name: string;
-    description?: string;
-    headId?: string;
-    parentId?: string;
-}
-/** Role from admin API */
-interface BioRole {
-    id: string;
-    name: string;
-    description?: string;
-    permissions: string[];
-    isSystem?: boolean;
-}
-/** Data for creating a role */
-interface CreateRoleData {
-    name: string;
-    description?: string;
-    permissions: string[];
-}
-/** OAuth client from admin API */
-interface BioOAuthClient {
-    clientId: string;
-    name: string;
-    description?: string;
-    redirectUris: string[];
-    allowedScopes: string[];
-    allowedGrantTypes: string[];
-    isActive: boolean;
-    orgId?: string;
-    orgSlug?: string;
-    accessTokenTtl?: number;
-    refreshTokenTtl?: number;
-}
-/** Data for creating an OAuth client */
-interface CreateClientData {
-    name: string;
-    description?: string;
-    redirectUris: string[];
-    allowedScopes?: string[];
-    allowedGrantTypes?: string[];
-}
-/** Admin API response wrapper */
-interface AdminResponse<T> {
-    success: boolean;
-    data?: T;
-    error?: string;
-    meta?: {
-        total: number;
-        page: number;
-        limit: number;
-    };
-}
+import { B as BioAuthConfig, A as AuthorizeOptions, a as AuthorizeResult, T as TokenResponse, b as BioUser, I as IntrospectResult, c as BioAdminConfig, U as UserFilters, d as UpdateUserData, e as BioDepartment, C as CreateDepartmentData, f as BioRole, g as CreateRoleData, h as BioOAuthClient, i as CreateClientData, j as BioTokenPayload, V as VerifyOptions, J as JWKSVerifyOptions } from './types-Dkb-drHZ.js';
+export { k as AdminResponse, l as BioAddress, m as BioClientTokenPayload, n as BioMessaging, o as BioUsersConfig, O as OrgMember, p as OrgMemberFilters, q as OrgMembersResult } from './types-Dkb-drHZ.js';
 
 /**
  * OAuth flow client for Bio-ID SSO.
@@ -416,4 +154,4 @@ declare function isTokenExpired(token: string, bufferSeconds?: number): boolean;
  */
 declare function verifyTokenJWKS(token: string, options?: JWKSVerifyOptions): Promise<BioTokenPayload>;
 
-export { type AdminResponse, type AuthorizeOptions, type AuthorizeResult, type BioAddress, BioAdmin, type BioAdminConfig, BioAuth, type BioAuthConfig, type BioClientTokenPayload, type BioDepartment, BioError, type BioMessaging, type BioOAuthClient, type BioRole, type BioTokenPayload, type BioUser, type CreateClientData, type CreateDepartmentData, type CreateRoleData, type IntrospectResult, type JWKSVerifyOptions, type TokenResponse, type UpdateUserData, type UserFilters, type VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };
+export { AuthorizeOptions, AuthorizeResult, BioAdmin, BioAdminConfig, BioAuth, BioAuthConfig, BioDepartment, BioError, BioOAuthClient, BioRole, BioTokenPayload, BioUser, CreateClientData, CreateDepartmentData, CreateRoleData, IntrospectResult, JWKSVerifyOptions, TokenResponse, UpdateUserData, UserFilters, VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };

package/dist/index.mjs

@@ -1,23 +1,13 @@
+import {
+  BioError,
+  parseJsonResponse,
+  retryDelay,
+  sleep
+} from "./chunk-NK5VXXWF.mjs";
+
 // src/auth.ts
 import crypto2 from "crypto";
 
-// src/errors.ts
-var BioError = class extends Error {
-  /** HTTP status code (if from an API response) */
-  statusCode;
-  /** Machine-readable error code (e.g. 'invalid_grant', 'token_expired') */
-  code;
-  /** Additional error details from the API */
-  details;
-  constructor(message, code, statusCode, details) {
-    super(message);
-    this.name = "BioError";
-    this.code = code;
-    this.statusCode = statusCode;
-    this.details = details;
-  }
-};
-
 // src/pkce.ts
 import crypto from "crypto";
 function generatePKCE() {
@@ -26,26 +16,6 @@ function generatePKCE() {
   return { codeVerifier, codeChallenge };
 }
 
-// src/utils.ts
-function retryDelay(attempt) {
-  const baseDelay = Math.min(1e3 * 2 ** attempt, 5e3);
-  return baseDelay * (0.5 + Math.random() * 0.5);
-}
-function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-async function parseJsonResponse(response) {
-  try {
-    return await response.json();
-  } catch {
-    throw new BioError(
-      `Bio-ID returned ${response.status} with non-JSON body`,
-      "parse_error",
-      response.status
-    );
-  }
-}
-
 // src/auth.ts
 var DEFAULT_ISSUER = "https://bio.tawa.pro";
 var DEFAULT_SCOPES = ["openid", "profile", "email"];