@insureco/bio 0.5.0 → 0.8.0

package/dist/index.mjs

@@ -1,6 +1,9 @@
 import {
   GraphClient
-} from "./chunk-PLN6QPED.mjs";
+} from "./chunk-CKHMGUDP.mjs";
+import {
+  PassportClient
+} from "./chunk-UBURAGWI.mjs";
 import {
   BioError,
   parseJsonResponse,
@@ -100,6 +103,23 @@ var BioAuth = class _BioAuth {
       codeChallenge
     };
   }
+  /**
+   * Build an authorization URL with prompt=none for silent authentication.
+   *
+   * Useful for checking if the user has an existing session without showing
+   * a login screen. If the user is not authenticated, Bio-ID redirects back
+   * with an `error=login_required` query parameter instead of showing UI.
+   */
+  silentAuth(opts) {
+    const result = this.getAuthorizationUrl({
+      redirectUri: opts.redirectUri,
+      scopes: opts.scopes,
+      state: opts.state
+    });
+    const url = new URL(result.url);
+    url.searchParams.set("prompt", "none");
+    return { ...result, url: url.toString() };
+  }
   /**
    * Exchange an authorization code for tokens.
    *
@@ -515,6 +535,257 @@ var BioAdmin = class _BioAdmin {
   }
 };
 
+// src/embed.ts
+var DEFAULT_BIO_URL = "https://bio.tawa.pro";
+var DEFAULT_TIMEOUT_MS3 = 1e4;
+var EmbedClient = class _EmbedClient {
+  bioIdUrl;
+  clientId;
+  clientSecret;
+  retries;
+  timeoutMs;
+  constructor(config) {
+    if (!config.clientId) {
+      throw new BioError("clientId is required", "config_error");
+    }
+    if (!config.clientSecret) {
+      throw new BioError("clientSecret is required", "config_error");
+    }
+    this.clientId = config.clientId;
+    this.clientSecret = config.clientSecret;
+    this.bioIdUrl = (config.bioIdUrl ?? DEFAULT_BIO_URL).replace(/\/$/, "");
+    this.retries = config.retries ?? 2;
+    this.timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS3;
+  }
+  /**
+   * Create an EmbedClient from environment variables.
+   *
+   * Reads: BIO_CLIENT_ID, BIO_CLIENT_SECRET, BIO_ID_URL
+   */
+  static fromEnv(overrides) {
+    const clientId = overrides?.clientId ?? process.env.BIO_CLIENT_ID;
+    const clientSecret = overrides?.clientSecret ?? process.env.BIO_CLIENT_SECRET;
+    if (!clientId) {
+      throw new BioError(
+        "BIO_CLIENT_ID environment variable is required",
+        "config_error"
+      );
+    }
+    if (!clientSecret) {
+      throw new BioError(
+        "BIO_CLIENT_SECRET environment variable is required",
+        "config_error"
+      );
+    }
+    return new _EmbedClient({
+      clientId,
+      clientSecret,
+      bioIdUrl: overrides?.bioIdUrl ?? process.env.BIO_ID_URL,
+      retries: overrides?.retries,
+      timeoutMs: overrides?.timeoutMs
+    });
+  }
+  /**
+   * Authenticate a user with email and password.
+   *
+   * @param params - Email and password
+   * @returns Access token, refresh token, user profile, and optional branding
+   */
+  async login(params) {
+    if (!params.email) throw new BioError("email is required", "validation_error");
+    if (!params.password) throw new BioError("password is required", "validation_error");
+    return this.embedRequest("/api/embed/login", {
+      email: params.email,
+      password: params.password
+    });
+  }
+  /**
+   * Create a new user account.
+   *
+   * @param params - Email, password, name, and optional invite token
+   * @returns Access token, refresh token, user profile, and optional branding
+   */
+  async signup(params) {
+    if (!params.email) throw new BioError("email is required", "validation_error");
+    if (!params.password) throw new BioError("password is required", "validation_error");
+    if (!params.name) throw new BioError("name is required", "validation_error");
+    const body = {
+      email: params.email,
+      password: params.password,
+      name: params.name
+    };
+    if (params.inviteToken) {
+      body.inviteToken = params.inviteToken;
+    }
+    return this.embedRequest("/api/embed/signup", body);
+  }
+  /**
+   * Send a magic link email to the user.
+   *
+   * The user clicks the link to authenticate without a password.
+   * After sending, use `verify()` with the token from the link.
+   *
+   * @param params - Email address to send the magic link to
+   */
+  async sendMagicLink(params) {
+    if (!params.email) throw new BioError("email is required", "validation_error");
+    const response = await this.fetchWithRetry(
+      "POST",
+      `${this.bioIdUrl}/api/embed/magic-link`,
+      JSON.stringify({ email: params.email })
+    );
+    const json = await parseJsonResponse(response);
+    if (!response.ok) {
+      throw new BioError(
+        extractErrorMessage(json, response.status),
+        extractErrorCode(json),
+        response.status,
+        json
+      );
+    }
+  }
+  /**
+   * Verify a magic link token and exchange it for auth tokens.
+   *
+   * @param params - The token from the magic link
+   * @returns Access token, refresh token, user profile, and optional branding
+   */
+  async verify(params) {
+    if (!params.token) throw new BioError("token is required", "validation_error");
+    return this.embedRequest("/api/embed/verify", {
+      token: params.token
+    });
+  }
+  /**
+   * Refresh an expired access token using a refresh token.
+   *
+   * @param params - The refresh token to exchange
+   * @returns New access token, rotated refresh token, user profile, and optional branding
+   */
+  async refresh(params) {
+    if (!params.refreshToken) throw new BioError("refreshToken is required", "validation_error");
+    return this.embedRequest("/api/embed/refresh", {
+      refreshToken: params.refreshToken
+    });
+  }
+  /**
+   * Revoke a refresh token (logout).
+   *
+   * @param params - The refresh token to revoke
+   */
+  async logout(params) {
+    if (!params.refreshToken) throw new BioError("refreshToken is required", "validation_error");
+    const response = await this.fetchWithRetry(
+      "POST",
+      `${this.bioIdUrl}/api/embed/logout`,
+      JSON.stringify({ refreshToken: params.refreshToken })
+    );
+    const json = await parseJsonResponse(response);
+    if (!response.ok) {
+      throw new BioError(
+        extractErrorMessage(json, response.status),
+        extractErrorCode(json),
+        response.status,
+        json
+      );
+    }
+  }
+  // ── Private helpers ──────────────────────────────────────────────────────
+  async embedRequest(path, body) {
+    const response = await this.fetchWithRetry(
+      "POST",
+      `${this.bioIdUrl}${path}`,
+      JSON.stringify(body)
+    );
+    const json = await parseJsonResponse(response);
+    if (!response.ok) {
+      throw new BioError(
+        extractErrorMessage(json, response.status),
+        extractErrorCode(json),
+        response.status,
+        json
+      );
+    }
+    return mapEmbedResponse(json);
+  }
+  async fetchWithRetry(method, url, body, attempt = 0) {
+    try {
+      const response = await fetch(url, {
+        method,
+        headers: {
+          "Content-Type": "application/json",
+          "X-Client-Id": this.clientId,
+          "X-Client-Secret": this.clientSecret
+        },
+        body,
+        signal: AbortSignal.timeout(this.timeoutMs)
+      });
+      if (response.status >= 500 && attempt < this.retries) {
+        await sleep(retryDelay(attempt));
+        return this.fetchWithRetry(method, url, body, attempt + 1);
+      }
+      return response;
+    } catch (err) {
+      if (attempt < this.retries) {
+        await sleep(retryDelay(attempt));
+        return this.fetchWithRetry(method, url, body, attempt + 1);
+      }
+      const isTimeout = err instanceof DOMException && err.name === "TimeoutError";
+      throw new BioError(
+        isTimeout ? `Request timed out after ${this.timeoutMs}ms` : err instanceof Error ? err.message : "Network error",
+        isTimeout ? "timeout" : "network_error"
+      );
+    }
+  }
+};
+function mapEmbedResponse(raw) {
+  const data = raw.data ?? raw;
+  const rawUser = data.user ?? {};
+  const rawBranding = data.branding;
+  const user = {
+    bioId: rawUser.bioId,
+    email: rawUser.email,
+    name: rawUser.name,
+    orgSlug: rawUser.orgSlug
+  };
+  const result = {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    tokenType: data.token_type ?? "Bearer",
+    expiresIn: data.expires_in,
+    user
+  };
+  if (rawBranding) {
+    result.branding = {
+      displayName: rawBranding.displayName,
+      logoUrl: rawBranding.logoUrl,
+      logoMarkUrl: rawBranding.logoMarkUrl,
+      primaryColor: rawBranding.primaryColor,
+      secondaryColor: rawBranding.secondaryColor,
+      verified: rawBranding.verified,
+      whiteLabelApproved: rawBranding.whiteLabelApproved
+    };
+  }
+  return result;
+}
+function extractErrorMessage(json, status) {
+  const error = json.error;
+  if (typeof error === "object" && error !== null) {
+    return error.message ?? `Embed API returned ${status}`;
+  }
+  if (typeof error === "string") {
+    return error;
+  }
+  return `Embed API returned ${status}`;
+}
+function extractErrorCode(json) {
+  const error = json.error;
+  if (typeof error === "object" && error !== null) {
+    return error.code ?? "embed_error";
+  }
+  return "embed_error";
+}
+
 // src/jwt.ts
 import crypto3 from "crypto";
 var DEFAULT_ISSUERS = [
@@ -671,7 +942,9 @@ export {
   BioAdmin,
   BioAuth,
   BioError,
+  EmbedClient,
   GraphClient,
+  PassportClient,
   decodeToken,
   generatePKCE,
   isTokenExpired,

package/dist/passport-react.d.mts

@@ -0,0 +1,27 @@
+import { P as Passport, a as PassportStatus } from './passport-types-bPgjNxv-.mjs';
+
+interface UsePassportOptions {
+    /** Bio-ID base URL */
+    bioIdUrl: string;
+    /** Access token for authentication */
+    accessToken: string | null;
+    /** Service name for tracking */
+    service?: string;
+    /** Auto-reconnect (default: true) */
+    autoReconnect?: boolean;
+}
+interface UsePassportResult {
+    /** Current passport object (null until identity received) */
+    passport: Passport | null;
+    /** Connection status */
+    status: PassportStatus;
+    /** Last error (null if none) */
+    error: Error | null;
+    /** Manually disconnect */
+    disconnect: () => void;
+    /** Manually reconnect */
+    reconnect: () => void;
+}
+declare function usePassport(options: UsePassportOptions): UsePassportResult;
+
+export { type UsePassportOptions, type UsePassportResult, usePassport };

package/dist/passport-react.d.ts

@@ -0,0 +1,27 @@
+import { P as Passport, a as PassportStatus } from './passport-types-bPgjNxv-.js';
+
+interface UsePassportOptions {
+    /** Bio-ID base URL */
+    bioIdUrl: string;
+    /** Access token for authentication */
+    accessToken: string | null;
+    /** Service name for tracking */
+    service?: string;
+    /** Auto-reconnect (default: true) */
+    autoReconnect?: boolean;
+}
+interface UsePassportResult {
+    /** Current passport object (null until identity received) */
+    passport: Passport | null;
+    /** Connection status */
+    status: PassportStatus;
+    /** Last error (null if none) */
+    error: Error | null;
+    /** Manually disconnect */
+    disconnect: () => void;
+    /** Manually reconnect */
+    reconnect: () => void;
+}
+declare function usePassport(options: UsePassportOptions): UsePassportResult;
+
+export { type UsePassportOptions, type UsePassportResult, usePassport };

package/dist/passport-react.js

@@ -0,0 +1,115 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/passport-react.ts
+var passport_react_exports = {};
+__export(passport_react_exports, {
+  usePassport: () => usePassport
+});
+module.exports = __toCommonJS(passport_react_exports);
+var import_react = require("react");
+function usePassport(options) {
+  const { bioIdUrl, accessToken, service, autoReconnect = true } = options;
+  const [passport, setPassport] = (0, import_react.useState)(null);
+  const [status, setStatus] = (0, import_react.useState)("disconnected");
+  const [error, setError] = (0, import_react.useState)(null);
+  const wsRef = (0, import_react.useRef)(null);
+  const reconnectTimerRef = (0, import_react.useRef)(null);
+  const reconnectAttemptRef = (0, import_react.useRef)(0);
+  const closedRef = (0, import_react.useRef)(false);
+  const cleanup = (0, import_react.useCallback)(() => {
+    if (reconnectTimerRef.current) {
+      clearTimeout(reconnectTimerRef.current);
+      reconnectTimerRef.current = null;
+    }
+    if (wsRef.current) {
+      wsRef.current.onclose = null;
+      wsRef.current.onerror = null;
+      wsRef.current.onmessage = null;
+      wsRef.current.close();
+      wsRef.current = null;
+    }
+  }, []);
+  const connect = (0, import_react.useCallback)(() => {
+    if (!accessToken || !bioIdUrl || closedRef.current) return;
+    cleanup();
+    setStatus("connecting");
+    setError(null);
+    const url = new URL("/passport", bioIdUrl.replace(/^http/, "ws"));
+    url.searchParams.set("token", accessToken);
+    url.searchParams.set("version", "1");
+    if (service) url.searchParams.set("service", service);
+    const ws = new WebSocket(url.toString());
+    wsRef.current = ws;
+    ws.onopen = () => {
+      reconnectAttemptRef.current = 0;
+      setStatus("connected");
+    };
+    ws.onmessage = (event) => {
+      try {
+        const data = JSON.parse(event.data);
+        if (data.type === "identity" || data.type === "passport_updated") {
+          setPassport(data.passport ?? null);
+        } else if (data.type === "revoked") {
+          setPassport(null);
+        }
+      } catch {
+      }
+    };
+    ws.onclose = () => {
+      setStatus("disconnected");
+      if (!closedRef.current && autoReconnect) {
+        const delay = Math.min(1e3 * Math.pow(2, reconnectAttemptRef.current), 3e4);
+        reconnectAttemptRef.current++;
+        reconnectTimerRef.current = setTimeout(() => {
+          reconnectTimerRef.current = null;
+          connect();
+        }, delay);
+      }
+    };
+    ws.onerror = () => {
+      setError(new Error("Passport WebSocket error"));
+      setStatus("error");
+    };
+  }, [bioIdUrl, accessToken, service, autoReconnect, cleanup]);
+  (0, import_react.useEffect)(() => {
+    closedRef.current = false;
+    connect();
+    return () => {
+      closedRef.current = true;
+      cleanup();
+      setStatus("disconnected");
+    };
+  }, [connect, cleanup]);
+  const disconnect = (0, import_react.useCallback)(() => {
+    closedRef.current = true;
+    cleanup();
+    setStatus("disconnected");
+  }, [cleanup]);
+  const reconnect = (0, import_react.useCallback)(() => {
+    closedRef.current = false;
+    reconnectAttemptRef.current = 0;
+    connect();
+  }, [connect]);
+  return { passport, status, error, disconnect, reconnect };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  usePassport
+});

package/dist/passport-react.mjs

@@ -0,0 +1,90 @@
+// src/passport-react.ts
+import { useState, useEffect, useRef, useCallback } from "react";
+function usePassport(options) {
+  const { bioIdUrl, accessToken, service, autoReconnect = true } = options;
+  const [passport, setPassport] = useState(null);
+  const [status, setStatus] = useState("disconnected");
+  const [error, setError] = useState(null);
+  const wsRef = useRef(null);
+  const reconnectTimerRef = useRef(null);
+  const reconnectAttemptRef = useRef(0);
+  const closedRef = useRef(false);
+  const cleanup = useCallback(() => {
+    if (reconnectTimerRef.current) {
+      clearTimeout(reconnectTimerRef.current);
+      reconnectTimerRef.current = null;
+    }
+    if (wsRef.current) {
+      wsRef.current.onclose = null;
+      wsRef.current.onerror = null;
+      wsRef.current.onmessage = null;
+      wsRef.current.close();
+      wsRef.current = null;
+    }
+  }, []);
+  const connect = useCallback(() => {
+    if (!accessToken || !bioIdUrl || closedRef.current) return;
+    cleanup();
+    setStatus("connecting");
+    setError(null);
+    const url = new URL("/passport", bioIdUrl.replace(/^http/, "ws"));
+    url.searchParams.set("token", accessToken);
+    url.searchParams.set("version", "1");
+    if (service) url.searchParams.set("service", service);
+    const ws = new WebSocket(url.toString());
+    wsRef.current = ws;
+    ws.onopen = () => {
+      reconnectAttemptRef.current = 0;
+      setStatus("connected");
+    };
+    ws.onmessage = (event) => {
+      try {
+        const data = JSON.parse(event.data);
+        if (data.type === "identity" || data.type === "passport_updated") {
+          setPassport(data.passport ?? null);
+        } else if (data.type === "revoked") {
+          setPassport(null);
+        }
+      } catch {
+      }
+    };
+    ws.onclose = () => {
+      setStatus("disconnected");
+      if (!closedRef.current && autoReconnect) {
+        const delay = Math.min(1e3 * Math.pow(2, reconnectAttemptRef.current), 3e4);
+        reconnectAttemptRef.current++;
+        reconnectTimerRef.current = setTimeout(() => {
+          reconnectTimerRef.current = null;
+          connect();
+        }, delay);
+      }
+    };
+    ws.onerror = () => {
+      setError(new Error("Passport WebSocket error"));
+      setStatus("error");
+    };
+  }, [bioIdUrl, accessToken, service, autoReconnect, cleanup]);
+  useEffect(() => {
+    closedRef.current = false;
+    connect();
+    return () => {
+      closedRef.current = true;
+      cleanup();
+      setStatus("disconnected");
+    };
+  }, [connect, cleanup]);
+  const disconnect = useCallback(() => {
+    closedRef.current = true;
+    cleanup();
+    setStatus("disconnected");
+  }, [cleanup]);
+  const reconnect = useCallback(() => {
+    closedRef.current = false;
+    reconnectAttemptRef.current = 0;
+    connect();
+  }, [connect]);
+  return { passport, status, error, disconnect, reconnect };
+}
+export {
+  usePassport
+};

package/dist/passport-types-bPgjNxv-.d.mts

@@ -0,0 +1,79 @@
+/** The full Passport identity object pushed via WebSocket */
+interface Passport {
+    bioId: string;
+    email: string;
+    firstName: string;
+    lastName: string;
+    orgSlug: string;
+    orgId: string;
+    roles: string[];
+    villages: PassportVillage[];
+    serviceGrants: PassportServiceGrant[];
+    crossOrgPermissions: PassportCrossOrgPermission[];
+    session: PassportSession;
+}
+interface PassportVillage {
+    slug: string;
+    name: string;
+    role: 'member' | 'admin' | 'owner';
+}
+interface PassportServiceGrant {
+    service: string;
+    scopes: string[];
+    grantedAt: string;
+}
+interface PassportCrossOrgPermission {
+    targetOrgSlug: string;
+    modules: string[];
+}
+interface PassportSession {
+    issuedAt: string;
+    lastSeen: string;
+    connectedServices: string[];
+}
+/** Interface for token refresh — accepts any object with a refreshToken method */
+interface PassportTokenRefresher {
+    refreshToken: (refreshToken: string) => Promise<{
+        access_token: string;
+        refresh_token?: string;
+    }>;
+}
+/** Configuration for PassportClient */
+interface PassportClientConfig {
+    /** Bio-ID base URL (e.g. https://bio.insureco.io) */
+    bioIdUrl: string;
+    /** Access token for authentication */
+    accessToken: string;
+    /** Service name sent as ?service= query param */
+    service?: string;
+    /** Auto-reconnect on disconnect (default: true) */
+    autoReconnect?: boolean;
+    /** Max reconnect delay in ms (default: 30000) */
+    maxReconnectDelay?: number;
+    /** Optional refresh token for auto-refresh on 4003 close */
+    refreshToken?: string;
+    /** Callback when tokens are refreshed (so app can persist new tokens) */
+    onTokenRefresh?: (tokens: {
+        access_token: string;
+        refresh_token?: string;
+    }) => void;
+    /** Token refresher (e.g. BioAuth instance) — required if refreshToken is set */
+    bioAuth?: PassportTokenRefresher;
+}
+/** Events emitted by the passport socket */
+type PassportEventType = 'identity' | 'passport_updated' | 'revoked';
+/** Message received from the passport WebSocket */
+interface PassportMessage {
+    type: PassportEventType;
+    passport?: Passport;
+}
+/** Status of the passport connection */
+type PassportStatus = 'connecting' | 'connected' | 'disconnected' | 'error';
+/** Branding config from passport (optional) */
+interface PassportBranding {
+    logoUrl?: string;
+    primaryColor?: string;
+    appName?: string;
+}
+
+export type { Passport as P, PassportStatus as a, PassportBranding as b, PassportClientConfig as c, PassportCrossOrgPermission as d, PassportEventType as e, PassportMessage as f, PassportServiceGrant as g, PassportSession as h, PassportTokenRefresher as i, PassportVillage as j };