@insureco/bio 0.5.0 → 0.8.0

package/dist/passport-types-bPgjNxv-.d.ts

@@ -0,0 +1,79 @@
+/** The full Passport identity object pushed via WebSocket */
+interface Passport {
+    bioId: string;
+    email: string;
+    firstName: string;
+    lastName: string;
+    orgSlug: string;
+    orgId: string;
+    roles: string[];
+    villages: PassportVillage[];
+    serviceGrants: PassportServiceGrant[];
+    crossOrgPermissions: PassportCrossOrgPermission[];
+    session: PassportSession;
+}
+interface PassportVillage {
+    slug: string;
+    name: string;
+    role: 'member' | 'admin' | 'owner';
+}
+interface PassportServiceGrant {
+    service: string;
+    scopes: string[];
+    grantedAt: string;
+}
+interface PassportCrossOrgPermission {
+    targetOrgSlug: string;
+    modules: string[];
+}
+interface PassportSession {
+    issuedAt: string;
+    lastSeen: string;
+    connectedServices: string[];
+}
+/** Interface for token refresh — accepts any object with a refreshToken method */
+interface PassportTokenRefresher {
+    refreshToken: (refreshToken: string) => Promise<{
+        access_token: string;
+        refresh_token?: string;
+    }>;
+}
+/** Configuration for PassportClient */
+interface PassportClientConfig {
+    /** Bio-ID base URL (e.g. https://bio.insureco.io) */
+    bioIdUrl: string;
+    /** Access token for authentication */
+    accessToken: string;
+    /** Service name sent as ?service= query param */
+    service?: string;
+    /** Auto-reconnect on disconnect (default: true) */
+    autoReconnect?: boolean;
+    /** Max reconnect delay in ms (default: 30000) */
+    maxReconnectDelay?: number;
+    /** Optional refresh token for auto-refresh on 4003 close */
+    refreshToken?: string;
+    /** Callback when tokens are refreshed (so app can persist new tokens) */
+    onTokenRefresh?: (tokens: {
+        access_token: string;
+        refresh_token?: string;
+    }) => void;
+    /** Token refresher (e.g. BioAuth instance) — required if refreshToken is set */
+    bioAuth?: PassportTokenRefresher;
+}
+/** Events emitted by the passport socket */
+type PassportEventType = 'identity' | 'passport_updated' | 'revoked';
+/** Message received from the passport WebSocket */
+interface PassportMessage {
+    type: PassportEventType;
+    passport?: Passport;
+}
+/** Status of the passport connection */
+type PassportStatus = 'connecting' | 'connected' | 'disconnected' | 'error';
+/** Branding config from passport (optional) */
+interface PassportBranding {
+    logoUrl?: string;
+    primaryColor?: string;
+    appName?: string;
+}
+
+export type { Passport as P, PassportStatus as a, PassportBranding as b, PassportClientConfig as c, PassportCrossOrgPermission as d, PassportEventType as e, PassportMessage as f, PassportServiceGrant as g, PassportSession as h, PassportTokenRefresher as i, PassportVillage as j };

package/dist/passport.d.mts

@@ -0,0 +1,70 @@
+import { c as PassportClientConfig, P as Passport, a as PassportStatus } from './passport-types-bPgjNxv-.mjs';
+export { b as PassportBranding, d as PassportCrossOrgPermission, e as PassportEventType, f as PassportMessage, g as PassportServiceGrant, h as PassportSession, i as PassportTokenRefresher, j as PassportVillage } from './passport-types-bPgjNxv-.mjs';
+
+type PassportEventHandler = (passport: Passport | null) => void;
+type StatusEventHandler = (status: PassportStatus) => void;
+type ErrorEventHandler = (error: Error) => void;
+interface PassportEventMap {
+    identity: PassportEventHandler;
+    passport_updated: PassportEventHandler;
+    revoked: () => void;
+    connected: StatusEventHandler;
+    disconnected: StatusEventHandler;
+    error: ErrorEventHandler;
+}
+/**
+ * Client for the Bio-ID passport WebSocket.
+ *
+ * Connects to the passport endpoint and emits events when the user's
+ * identity, permissions, or session change in real time.
+ *
+ * @example
+ * import { PassportClient } from '@insureco/bio/passport'
+ *
+ * const client = new PassportClient({
+ *   bioIdUrl: 'https://bio.insureco.io',
+ *   accessToken: userToken,
+ *   service: 'my-service',
+ * })
+ *
+ * client.on('identity', (passport) => {
+ *   console.log('Logged in as', passport?.firstName)
+ * })
+ *
+ * client.on('passport_updated', (passport) => {
+ *   console.log('Passport updated', passport?.roles)
+ * })
+ *
+ * client.connect()
+ */
+declare class PassportClient {
+    private readonly config;
+    private ws;
+    private _passport;
+    private _status;
+    private reconnectAttempt;
+    private reconnectTimer;
+    private listeners;
+    private closed;
+    constructor(config: PassportClientConfig);
+    /** Current passport object (null until first identity message) */
+    get passport(): Passport | null;
+    /** Current connection status */
+    get status(): PassportStatus;
+    /** Connect to the passport WebSocket */
+    connect(): void;
+    /** Subscribe to an event */
+    on<K extends keyof PassportEventMap>(event: K, handler: PassportEventMap[K]): void;
+    /** Unsubscribe from an event */
+    off<K extends keyof PassportEventMap>(event: K, handler: PassportEventMap[K]): void;
+    /** Disconnect and stop reconnecting */
+    close(): void;
+    /** Update access token (e.g. after refresh) and reconnect */
+    updateToken(accessToken: string): void;
+    private handleTokenRefresh;
+    private setStatus;
+    private emit;
+    private scheduleReconnect;
+}
+
+export { Passport, PassportClient, PassportClientConfig, PassportStatus };

package/dist/passport.d.ts

@@ -0,0 +1,70 @@
+import { c as PassportClientConfig, P as Passport, a as PassportStatus } from './passport-types-bPgjNxv-.js';
+export { b as PassportBranding, d as PassportCrossOrgPermission, e as PassportEventType, f as PassportMessage, g as PassportServiceGrant, h as PassportSession, i as PassportTokenRefresher, j as PassportVillage } from './passport-types-bPgjNxv-.js';
+
+type PassportEventHandler = (passport: Passport | null) => void;
+type StatusEventHandler = (status: PassportStatus) => void;
+type ErrorEventHandler = (error: Error) => void;
+interface PassportEventMap {
+    identity: PassportEventHandler;
+    passport_updated: PassportEventHandler;
+    revoked: () => void;
+    connected: StatusEventHandler;
+    disconnected: StatusEventHandler;
+    error: ErrorEventHandler;
+}
+/**
+ * Client for the Bio-ID passport WebSocket.
+ *
+ * Connects to the passport endpoint and emits events when the user's
+ * identity, permissions, or session change in real time.
+ *
+ * @example
+ * import { PassportClient } from '@insureco/bio/passport'
+ *
+ * const client = new PassportClient({
+ *   bioIdUrl: 'https://bio.insureco.io',
+ *   accessToken: userToken,
+ *   service: 'my-service',
+ * })
+ *
+ * client.on('identity', (passport) => {
+ *   console.log('Logged in as', passport?.firstName)
+ * })
+ *
+ * client.on('passport_updated', (passport) => {
+ *   console.log('Passport updated', passport?.roles)
+ * })
+ *
+ * client.connect()
+ */
+declare class PassportClient {
+    private readonly config;
+    private ws;
+    private _passport;
+    private _status;
+    private reconnectAttempt;
+    private reconnectTimer;
+    private listeners;
+    private closed;
+    constructor(config: PassportClientConfig);
+    /** Current passport object (null until first identity message) */
+    get passport(): Passport | null;
+    /** Current connection status */
+    get status(): PassportStatus;
+    /** Connect to the passport WebSocket */
+    connect(): void;
+    /** Subscribe to an event */
+    on<K extends keyof PassportEventMap>(event: K, handler: PassportEventMap[K]): void;
+    /** Unsubscribe from an event */
+    off<K extends keyof PassportEventMap>(event: K, handler: PassportEventMap[K]): void;
+    /** Disconnect and stop reconnecting */
+    close(): void;
+    /** Update access token (e.g. after refresh) and reconnect */
+    updateToken(accessToken: string): void;
+    private handleTokenRefresh;
+    private setStatus;
+    private emit;
+    private scheduleReconnect;
+}
+
+export { Passport, PassportClient, PassportClientConfig, PassportStatus };

package/dist/passport.js

@@ -0,0 +1,180 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/passport.ts
+var passport_exports = {};
+__export(passport_exports, {
+  PassportClient: () => PassportClient
+});
+module.exports = __toCommonJS(passport_exports);
+
+// src/passport-client.ts
+var PassportClient = class {
+  config;
+  ws = null;
+  _passport = null;
+  _status = "disconnected";
+  reconnectAttempt = 0;
+  reconnectTimer = null;
+  listeners = /* @__PURE__ */ new Map();
+  closed = false;
+  constructor(config) {
+    this.config = {
+      autoReconnect: true,
+      maxReconnectDelay: 3e4,
+      ...config
+    };
+  }
+  /** Current passport object (null until first identity message) */
+  get passport() {
+    return this._passport;
+  }
+  /** Current connection status */
+  get status() {
+    return this._status;
+  }
+  /** Connect to the passport WebSocket */
+  connect() {
+    if (this.closed) return;
+    this.setStatus("connecting");
+    const url = new URL("/passport", this.config.bioIdUrl.replace(/^http/, "ws"));
+    url.searchParams.set("token", this.config.accessToken);
+    url.searchParams.set("version", "1");
+    if (this.config.service) {
+      url.searchParams.set("service", this.config.service);
+    }
+    this.ws = new WebSocket(url.toString());
+    this.ws.onopen = () => {
+      this.reconnectAttempt = 0;
+      this.setStatus("connected");
+      this.emit("connected", this._status);
+    };
+    this.ws.onmessage = (event) => {
+      try {
+        const data = JSON.parse(
+          typeof event.data === "string" ? event.data : ""
+        );
+        if (data.type === "identity" || data.type === "passport_updated") {
+          this._passport = data.passport ?? null;
+          this.emit(data.type, this._passport);
+        } else if (data.type === "revoked") {
+          this._passport = null;
+          this.emit("revoked");
+        }
+      } catch {
+      }
+    };
+    this.ws.onclose = (event) => {
+      this.setStatus("disconnected");
+      this.emit("disconnected", this._status);
+      if (event?.code === 4003 && this.config.refreshToken && this.config.bioAuth) {
+        this.handleTokenRefresh();
+        return;
+      }
+      this.scheduleReconnect();
+    };
+    this.ws.onerror = () => {
+      const error = new Error("Passport WebSocket error");
+      this.emit("error", error);
+    };
+  }
+  /** Subscribe to an event */
+  on(event, handler) {
+    if (!this.listeners.has(event)) {
+      this.listeners.set(event, /* @__PURE__ */ new Set());
+    }
+    this.listeners.get(event).add(handler);
+  }
+  /** Unsubscribe from an event */
+  off(event, handler) {
+    this.listeners.get(event)?.delete(handler);
+  }
+  /** Disconnect and stop reconnecting */
+  close() {
+    this.closed = true;
+    if (this.reconnectTimer) {
+      clearTimeout(this.reconnectTimer);
+      this.reconnectTimer = null;
+    }
+    if (this.ws) {
+      this.ws.onclose = null;
+      this.ws.close();
+      this.ws = null;
+    }
+    this.setStatus("disconnected");
+  }
+  /** Update access token (e.g. after refresh) and reconnect */
+  updateToken(accessToken) {
+    this.config.accessToken = accessToken;
+    if (this.ws) {
+      this.ws.onclose = null;
+      this.ws.close();
+      this.ws = null;
+    }
+    this.reconnectAttempt = 0;
+    this.connect();
+  }
+  async handleTokenRefresh() {
+    if (!this.config.refreshToken || !this.config.bioAuth) return;
+    try {
+      const tokens = await this.config.bioAuth.refreshToken(this.config.refreshToken);
+      this.config.accessToken = tokens.access_token;
+      if (tokens.refresh_token) {
+        this.config.refreshToken = tokens.refresh_token;
+      }
+      if (this.config.onTokenRefresh) {
+        this.config.onTokenRefresh(tokens);
+      }
+      this.reconnectAttempt = 0;
+      this.connect();
+    } catch {
+      this.emit("error", new Error("Token refresh failed"));
+    }
+  }
+  setStatus(status) {
+    this._status = status;
+  }
+  emit(event, ...args) {
+    const handlers = this.listeners.get(event);
+    if (handlers) {
+      for (const handler of handlers) {
+        try {
+          handler(...args);
+        } catch {
+        }
+      }
+    }
+  }
+  scheduleReconnect() {
+    if (this.closed || !this.config.autoReconnect) return;
+    const delay = Math.min(
+      1e3 * Math.pow(2, this.reconnectAttempt),
+      this.config.maxReconnectDelay ?? 3e4
+    );
+    this.reconnectAttempt++;
+    this.reconnectTimer = setTimeout(() => {
+      this.reconnectTimer = null;
+      this.connect();
+    }, delay);
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  PassportClient
+});

package/dist/passport.mjs

@@ -0,0 +1,6 @@
+import {
+  PassportClient
+} from "./chunk-UBURAGWI.mjs";
+export {
+  PassportClient
+};

package/dist/{types-Dkb-drHZ.d.mts → types-DOpXwdF2.d.mts}

@@ -35,6 +35,15 @@ interface AuthorizeOptions {
     /** Optional org slug to pre-select during authorization (for multi-org users) */
     organization?: string;
 }
+/** Options for silent authentication (prompt=none) */
+interface SilentAuthOptions {
+    /** Callback URL where Bio-ID redirects after silent auth */
+    redirectUri: string;
+    /** OAuth scopes to request (default: ['openid', 'profile', 'email']) */
+    scopes?: string[];
+    /** CSRF state parameter (auto-generated if not provided) */
+    state?: string;
+}
 /** Result from getAuthorizationUrl() */
 interface AuthorizeResult {
     /** Full authorization URL to redirect the user to */
@@ -266,19 +275,32 @@ interface OrgMemberFilters {
     modules?: string[];
     /** Only return members with these roles */
     roles?: string[];
+    /** Service ID for role-taxonomy resolution (e.g. 'iifs-collections') */
+    service?: string;
     /** Max results (default: 50) */
     limit?: number;
     /** Page number for pagination (default: 1) */
     page?: number;
 }
+/** A role within a service's taxonomy, resolved when querying with `service` filter */
+interface ServiceRole {
+    /** Role ID within the service taxonomy (e.g. 'collections:manager') */
+    id: string;
+    /** Human-readable label (e.g. 'Collections Manager') */
+    label: string;
+}
 /** A member as returned by GET /api/v2/users or GET /api/orgs/[slug]/members */
 interface OrgMember {
     bioId: string;
     email: string;
     name: string;
+    /** Which org this user belongs to */
+    orgSlug?: string;
     jobTitle?: string;
     enabled_modules: string[];
     roles?: string[];
+    /** Roles within the querying service's taxonomy (present when `service` filter is used) */
+    serviceRoles?: ServiceRole[];
 }
 /** Paginated response from the user access endpoints */
 interface OrgMembersResult {
@@ -298,5 +320,99 @@ interface AdminResponse<T> {
         limit: number;
     };
 }
+/** Configuration for EmbedClient (headless embed auth) */
+interface EmbedClientConfig {
+    /** OAuth client ID (env: BIO_CLIENT_ID) */
+    clientId: string;
+    /** OAuth client secret (env: BIO_CLIENT_SECRET) */
+    clientSecret: string;
+    /** Bio-ID base URL (env: BIO_ID_URL, default: https://bio.tawa.pro) */
+    bioIdUrl?: string;
+    /** Number of retry attempts on transient failures (default: 2) */
+    retries?: number;
+    /** Request timeout in milliseconds (default: 10000) */
+    timeoutMs?: number;
+}
+/** Parameters for embed login */
+interface EmbedLoginParams {
+    /** User email address */
+    email: string;
+    /** User password */
+    password: string;
+}
+/** Parameters for embed signup */
+interface EmbedSignupParams {
+    /** User email address */
+    email: string;
+    /** User password */
+    password: string;
+    /** Display name */
+    name: string;
+    /** Optional invite token for org-scoped signups */
+    inviteToken?: string;
+}
+/** Parameters for sending a magic link */
+interface EmbedMagicLinkParams {
+    /** Email address to send the magic link to */
+    email: string;
+}
+/** Parameters for verifying a magic link token */
+interface EmbedVerifyParams {
+    /** Magic link token from the email */
+    token: string;
+}
+/** Parameters for refreshing an access token */
+interface EmbedRefreshParams {
+    /** Refresh token from a previous login/signup/verify/refresh */
+    refreshToken: string;
+}
+/** Parameters for logout (token revocation) */
+interface EmbedLogoutParams {
+    /** Refresh token to revoke */
+    refreshToken: string;
+}
+/** User profile returned by embed endpoints */
+interface EmbedUser {
+    /** Unique Bio-ID identifier */
+    bioId: string;
+    /** User email address */
+    email: string;
+    /** Display name */
+    name: string;
+    /** Organization slug (if the user belongs to an org) */
+    orgSlug?: string;
+}
+/** Branding data returned by embed endpoints */
+interface EmbedBranding {
+    /** Organization display name */
+    displayName?: string;
+    /** Full logo URL */
+    logoUrl?: string;
+    /** Logo mark (icon) URL */
+    logoMarkUrl?: string;
+    /** Primary brand color (hex) */
+    primaryColor?: string;
+    /** Secondary brand color (hex) */
+    secondaryColor?: string;
+    /** Whether the org is verified */
+    verified?: boolean;
+    /** Whether white-label is approved for this org */
+    whiteLabelApproved?: boolean;
+}
+/** Auth result from embed login, signup, verify, or refresh */
+interface EmbedAuthResult {
+    /** JWT access token */
+    accessToken: string;
+    /** Refresh token (use with refresh() or logout()) */
+    refreshToken: string;
+    /** Token type (always 'Bearer') */
+    tokenType: 'Bearer';
+    /** Access token lifetime in seconds */
+    expiresIn: number;
+    /** Authenticated user profile */
+    user: EmbedUser;
+    /** Optional org branding (present when the user belongs to a branded org) */
+    branding?: EmbedBranding;
+}
 
-export type { AuthorizeOptions as A, BioAuthConfig as B, CreateDepartmentData as C, IntrospectResult as I, JWKSVerifyOptions as J, OrgMember as O, TokenResponse as T, UserFilters as U, VerifyOptions as V, AuthorizeResult as a, BioUser as b, BioAdminConfig as c, UpdateUserData as d, BioDepartment as e, BioRole as f, CreateRoleData as g, BioOAuthClient as h, CreateClientData as i, BioTokenPayload as j, AdminResponse as k, BioAddress as l, BioClientTokenPayload as m, BioMessaging as n, BioUsersConfig as o, OrgMemberFilters as p, OrgMembersResult as q };
+export type { AuthorizeOptions as A, BioUsersConfig as B, CreateDepartmentData as C, ServiceRole as D, EmbedClientConfig as E, IntrospectResult as I, JWKSVerifyOptions as J, OrgMemberFilters as O, SilentAuthOptions as S, TokenResponse as T, UserFilters as U, VerifyOptions as V, OrgMembersResult as a, BioAuthConfig as b, AuthorizeResult as c, BioUser as d, BioAdminConfig as e, UpdateUserData as f, BioDepartment as g, BioRole as h, CreateRoleData as i, BioOAuthClient as j, CreateClientData as k, EmbedLoginParams as l, EmbedAuthResult as m, EmbedSignupParams as n, EmbedMagicLinkParams as o, EmbedVerifyParams as p, EmbedRefreshParams as q, EmbedLogoutParams as r, BioTokenPayload as s, AdminResponse as t, BioAddress as u, BioClientTokenPayload as v, BioMessaging as w, EmbedBranding as x, EmbedUser as y, OrgMember as z };