@intelicity/gates-sdk 0.1.5 → 0.2.0

package/dist/errors/error.js

@@ -1,19 +1,19 @@
-// src/errors/error.ts
-/**
- * Base error class for authentication-related errors
- */
-export class AuthenticationError extends Error {
+export class GatesError extends Error {
     code;
     constructor(message, code) {
         super(message);
         this.code = code;
+        this.name = "GatesError";
+        Object.setPrototypeOf(this, GatesError.prototype);
+    }
+}
+export class AuthenticationError extends GatesError {
+    constructor(message, code) {
+        super(message, code);
         this.name = "AuthenticationError";
         Object.setPrototypeOf(this, AuthenticationError.prototype);
     }
 }
-/**
- * Error thrown when a token has expired
- */
 export class TokenExpiredError extends AuthenticationError {
     constructor(message = "Token has expired") {
         super(message, "TOKEN_EXPIRED");
@@ -21,9 +21,6 @@ export class TokenExpiredError extends AuthenticationError {
         Object.setPrototypeOf(this, TokenExpiredError.prototype);
     }
 }
-/**
- * Error thrown when a token is invalid
- */
 export class InvalidTokenError extends AuthenticationError {
     constructor(message = "Invalid token") {
         super(message, "INVALID_TOKEN");
@@ -31,13 +28,52 @@ export class InvalidTokenError extends AuthenticationError {
         Object.setPrototypeOf(this, InvalidTokenError.prototype);
     }
 }
-/**
- * Error thrown when authorization header is missing
- */
 export class MissingAuthorizationError extends AuthenticationError {
-    constructor(message = "Missing Authorization header") {
+    constructor(message = "Authorization header is missing") {
         super(message, "MISSING_AUTHORIZATION");
         this.name = "MissingAuthorizationError";
         Object.setPrototypeOf(this, MissingAuthorizationError.prototype);
     }
 }
+export class UnauthorizedGroupError extends AuthenticationError {
+    requiredGroups;
+    constructor(message, requiredGroups) {
+        super(message, "UNAUTHORIZED_GROUP");
+        this.requiredGroups = requiredGroups;
+        this.name = "UnauthorizedGroupError";
+        Object.setPrototypeOf(this, UnauthorizedGroupError.prototype);
+    }
+}
+export class ApiError extends GatesError {
+    statusCode;
+    constructor(message, statusCode, code) {
+        super(message, code);
+        this.statusCode = statusCode;
+        this.name = "ApiError";
+        Object.setPrototypeOf(this, ApiError.prototype);
+    }
+}
+export class ApiRequestError extends ApiError {
+    constructor(message, statusCode) {
+        super(message, statusCode, "API_REQUEST_ERROR");
+        this.name = "ApiRequestError";
+        Object.setPrototypeOf(this, ApiRequestError.prototype);
+    }
+}
+export class MissingParameterError extends GatesError {
+    constructor(parameterName) {
+        super(`Missing required parameter: ${parameterName}`, "MISSING_PARAMETER");
+        this.name = "MissingParameterError";
+        Object.setPrototypeOf(this, MissingParameterError.prototype);
+    }
+}
+export class InvalidParameterError extends GatesError {
+    constructor(parameterName, reason) {
+        const message = reason
+            ? `Invalid parameter '${parameterName}': ${reason}`
+            : `Invalid parameter: ${parameterName}`;
+        super(message, "INVALID_PARAMETER");
+        this.name = "InvalidParameterError";
+        Object.setPrototypeOf(this, InvalidParameterError.prototype);
+    }
+}

package/dist/index.d.ts

@@ -1,6 +1,6 @@
-export type { GatesUser as GatesUser } from "./models/user.js";
-export type { UserProfile as Profile, ProfileAttribute, } from "./models/profile.js";
-export { GatesUserService as UserService, type UserListResponse, type GetAllUsersOptions, } from "./services/user-service.js";
-export { GatesAuthService as AuthService, type VerifyOptions, } from "./services/auth-service.js";
-export { AuthenticationError, TokenExpiredError, InvalidTokenError, MissingAuthorizationError, } from "./errors/error.js";
+export type { GatesUser, GatesRole } from "./models/user.js";
+export { AuthService, type VerifyOptions } from "./services/auth-service.js";
+export { GatesAdminService, type GatesAdminConfig, type CreateUserParams, type CreateUserResponse, type UpdateUserParams, } from "./services/admin-service.js";
+export { extractToken, authenticate, authorize, handleAuth, type AuthHandlerConfig, } from "./auth/middleware.js";
+export { GatesError, AuthenticationError, TokenExpiredError, InvalidTokenError, MissingAuthorizationError, UnauthorizedGroupError, ApiError, ApiRequestError, MissingParameterError, InvalidParameterError, } from "./errors/error.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,YAAY,EAAE,SAAS,IAAI,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC/D,YAAY,EACV,WAAW,IAAI,OAAO,EACtB,gBAAgB,GACjB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,gBAAgB,IAAI,WAAW,EAC/B,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,GACxB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,gBAAgB,IAAI,WAAW,EAC/B,KAAK,aAAa,GACnB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,iBAAiB,EACjB,yBAAyB,GAC1B,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAG7D,OAAO,EAAE,WAAW,EAAE,KAAK,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAE7E,OAAO,EACL,iBAAiB,EACjB,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,GACtB,MAAM,6BAA6B,CAAC;AAGrC,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,SAAS,EACT,UAAU,EACV,KAAK,iBAAiB,GACvB,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EACL,UAAU,EACV,mBAAmB,EACnB,iBAAiB,EACjB,iBAAiB,EACjB,yBAAyB,EACzB,sBAAsB,EACtB,QAAQ,EACR,eAAe,EACf,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,mBAAmB,CAAC"}

package/dist/index.js

@@ -1,3 +1,7 @@
-export { GatesUserService as UserService, } from "./services/user-service.js";
-export { GatesAuthService as AuthService, } from "./services/auth-service.js";
-export { AuthenticationError, TokenExpiredError, InvalidTokenError, MissingAuthorizationError, } from "./errors/error.js";
+// Services
+export { AuthService } from "./services/auth-service.js";
+export { GatesAdminService, } from "./services/admin-service.js";
+// Middleware
+export { extractToken, authenticate, authorize, handleAuth, } from "./auth/middleware.js";
+// Errors
+export { GatesError, AuthenticationError, TokenExpiredError, InvalidTokenError, MissingAuthorizationError, UnauthorizedGroupError, ApiError, ApiRequestError, MissingParameterError, InvalidParameterError, } from "./errors/error.js";

package/dist/models/user.d.ts

@@ -1,12 +1,11 @@
-/**
- * Tipagem base do payload que sai do Cognito.
- * Você pode estender com claims próprias (ex.: permissions, system_access).
- */
+export type GatesRole = "INTERNAL_ADMIN" | "INTERNAL_USER" | "CLIENT_ADMIN" | "CLIENT_USER";
 export type GatesUser = {
     user_id: string;
-    email: string;
-    name: string;
-    role: string;
+    email?: string;
+    name?: string;
+    role?: string;
+    groups: string[];
+    token_use: "access" | "id";
     exp: number;
     iat: number;
 };

package/dist/models/user.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../src/models/user.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,MAAM,SAAS,GAAG;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb,CAAC"}
+{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../src/models/user.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,SAAS,GACjB,gBAAgB,GAChB,eAAe,GACf,cAAc,GACd,aAAa,CAAC;AAElB,MAAM,MAAM,SAAS,GAAG;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,SAAS,EAAE,QAAQ,GAAG,IAAI,CAAC;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb,CAAC"}

package/dist/services/admin-service.d.ts

@@ -0,0 +1,26 @@
+import { GatesRole } from "../models/user.js";
+export type GatesAdminConfig = {
+    baseUrl: string;
+};
+export type CreateUserParams = {
+    email: string;
+    name: string;
+    role: GatesRole;
+    client: string;
+};
+export type CreateUserResponse = {
+    sub: string;
+};
+export type UpdateUserParams = {
+    user_id: string;
+    clients_to_add?: string[];
+    clients_to_remove?: string[];
+};
+export declare class GatesAdminService {
+    private readonly baseUrl;
+    constructor(config: GatesAdminConfig);
+    createUser(idToken: string, params: CreateUserParams): Promise<CreateUserResponse>;
+    updateUser(idToken: string, params: UpdateUserParams): Promise<void>;
+    private request;
+}
+//# sourceMappingURL=admin-service.d.ts.map

package/dist/services/admin-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-service.d.ts","sourceRoot":"","sources":["../../src/services/admin-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAO9C,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC9B,CAAC;AASF,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;gBAErB,MAAM,EAAE,gBAAgB;IAO9B,UAAU,CACd,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,kBAAkB,CAAC;IAgDxB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC;YAgB5D,OAAO;CAmCtB"}

package/dist/services/admin-service.js

@@ -0,0 +1,92 @@
+import { MissingParameterError, InvalidParameterError, ApiRequestError, } from "../errors/error.js";
+const VALID_ROLES = [
+    "INTERNAL_ADMIN",
+    "INTERNAL_USER",
+    "CLIENT_ADMIN",
+    "CLIENT_USER",
+];
+export class GatesAdminService {
+    baseUrl;
+    constructor(config) {
+        if (!config.baseUrl || config.baseUrl.trim().length === 0) {
+            throw new MissingParameterError("baseUrl");
+        }
+        this.baseUrl = config.baseUrl.replace(/\/$/, "");
+    }
+    async createUser(idToken, params) {
+        if (!idToken) {
+            throw new MissingParameterError("idToken");
+        }
+        if (!params.email || params.email.trim().length === 0) {
+            throw new MissingParameterError("email");
+        }
+        if (!params.name || params.name.trim().length === 0) {
+            throw new MissingParameterError("name");
+        }
+        if (!params.role) {
+            throw new MissingParameterError("role");
+        }
+        if (!VALID_ROLES.includes(params.role)) {
+            throw new InvalidParameterError("role", `must be one of: ${VALID_ROLES.join(", ")}`);
+        }
+        if (!params.client || params.client.trim().length === 0) {
+            throw new MissingParameterError("client");
+        }
+        const response = await this.request("POST", "/create-user", idToken, {
+            email: params.email,
+            name: params.name,
+            role: params.role,
+        });
+        const data = (await response.json());
+        if (!data.sub) {
+            throw new ApiRequestError("Response missing 'sub' field");
+        }
+        await this.updateUser(idToken, {
+            user_id: data.sub,
+            clients_to_add: [params.client],
+        });
+        return data;
+    }
+    async updateUser(idToken, params) {
+        if (!idToken) {
+            throw new MissingParameterError("idToken");
+        }
+        if (!params.user_id || params.user_id.trim().length === 0) {
+            throw new MissingParameterError("user_id");
+        }
+        await this.request("PUT", "/update-user", idToken, {
+            user_id: params.user_id,
+            clients_to_add: params.clients_to_add,
+            clients_to_remove: params.clients_to_remove,
+        });
+    }
+    async request(method, path, idToken, body) {
+        let response;
+        try {
+            response = await fetch(`${this.baseUrl}${path}`, {
+                method,
+                headers: {
+                    "Content-Type": "application/json",
+                    Authorization: `Bearer ${idToken}`,
+                },
+                body: JSON.stringify(body),
+            });
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Unknown network error";
+            throw new ApiRequestError(`Failed to reach Gates API: ${message}`);
+        }
+        if (!response.ok) {
+            let detail;
+            try {
+                const errorBody = (await response.json());
+                detail = errorBody.message ?? response.statusText;
+            }
+            catch {
+                detail = response.statusText;
+            }
+            throw new ApiRequestError(`Gates API error: ${detail}`, response.status);
+        }
+        return response;
+    }
+}

package/dist/services/auth-service.d.ts

@@ -2,17 +2,14 @@ import { GatesUser } from "../models/user.js";
 export type VerifyOptions = {
     region: string;
     userPoolId: string;
-    audience: string;
-    requiredGroup?: string | string[];
+    clientId: string;
 };
-export declare class GatesAuthService {
+export declare class AuthService {
     private readonly region;
     private readonly userPoolId;
-    private readonly audience;
-    private readonly requiredGroup?;
-    constructor(region: string, userPoolId: string, audience: string, requiredGroup?: string | string[]);
+    private readonly clientId;
+    constructor(region: string, userPoolId: string, clientId: string);
     private get issuer();
-    isMemberOf(groups?: string[]): boolean;
     verifyToken(token: string): Promise<GatesUser>;
 }
 //# sourceMappingURL=auth-service.d.ts.map

package/dist/services/auth-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-service.d.ts","sourceRoot":"","sources":["../../src/services/auth-service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAE9C,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CACnC,CAAC;AAEF,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAoB;gBAGjD,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,aAAa,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE;IAiCnC,OAAO,KAAK,MAAM,GAEjB;IAED,UAAU,CAAC,MAAM,GAAE,MAAM,EAAO,GAAG,OAAO;IAgBpC,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CAiDrD"}
+{"version":3,"file":"auth-service.d.ts","sourceRoot":"","sources":["../../src/services/auth-service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAQ9C,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM;IAiChE,OAAO,KAAK,MAAM,GAEjB;IAEK,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CAqFrD"}

package/dist/services/auth-service.js

@@ -1,80 +1,95 @@
-import { jwtVerify } from "jose";
+import { jwtVerify, errors as joseErrors } from "jose";
 import { getJwks } from "../cache/jwks-cache.js";
-export class GatesAuthService {
+import { InvalidParameterError, MissingParameterError, TokenExpiredError, InvalidTokenError, } from "../errors/error.js";
+export class AuthService {
     region;
     userPoolId;
-    audience;
-    requiredGroup;
-    constructor(region, userPoolId, audience, requiredGroup) {
+    clientId;
+    constructor(region, userPoolId, clientId) {
         if (!region || typeof region !== "string" || region.trim().length === 0) {
-            throw new Error("Region é obrigatória e deve ser uma string válida");
+            throw new MissingParameterError("region");
         }
         if (!userPoolId ||
             typeof userPoolId !== "string" ||
             userPoolId.trim().length === 0) {
-            throw new Error("UserPoolId é obrigatório e deve ser uma string válida");
+            throw new MissingParameterError("userPoolId");
         }
-        if (!audience ||
-            typeof audience !== "string" ||
-            audience.trim().length === 0) {
-            throw new Error("Audience é obrigatória e deve ser uma string válida");
+        if (!clientId ||
+            typeof clientId !== "string" ||
+            clientId.trim().length === 0) {
+            throw new MissingParameterError("clientId");
         }
-        // Validar formato do userPoolId (deve seguir padrão AWS)
         if (!/^[a-zA-Z0-9_-]+$/.test(userPoolId)) {
-            throw new Error("UserPoolId possui formato inválido");
+            throw new InvalidParameterError("userPoolId", "must follow AWS format (alphanumeric, hyphens, and underscores only)");
         }
         this.region = region;
         this.userPoolId = userPoolId;
-        this.audience = audience;
-        this.requiredGroup = requiredGroup;
+        this.clientId = clientId;
     }
     get issuer() {
         return `https://cognito-idp.${this.region}.amazonaws.com/${this.userPoolId}`;
     }
-    isMemberOf(groups = []) {
-        if (!Array.isArray(groups)) {
-            return false;
-        }
-        if (!this.requiredGroup) {
-            return true;
-        }
-        const requiredGroups = Array.isArray(this.requiredGroup)
-            ? this.requiredGroup
-            : [this.requiredGroup];
-        return groups.some((g) => requiredGroups.includes(g));
-    }
     async verifyToken(token) {
         if (!token) {
-            throw new Error("Token não fornecido");
+            throw new MissingParameterError("token");
         }
-        const jwks = getJwks(this.region, this.userPoolId);
-        const { payload } = await jwtVerify(token, jwks, {
-            issuer: this.issuer,
-            audience: this.audience,
-        });
-        if (this.requiredGroup) {
-            const userGroups = payload["cognito:groups"];
-            if (!userGroups || !Array.isArray(userGroups)) {
-                throw new Error("Usuário não pertence ao sistema");
+        try {
+            const jwks = getJwks(this.region, this.userPoolId);
+            const { payload } = await jwtVerify(token, jwks, {
+                issuer: this.issuer,
+            });
+            const tokenUse = payload.token_use;
+            if (tokenUse !== "access" && tokenUse !== "id") {
+                throw new InvalidTokenError(`Unsupported token_use: expected "access" or "id", got "${tokenUse}"`);
+            }
+            if (tokenUse === "access") {
+                const clientId = payload.client_id;
+                if (clientId !== this.clientId) {
+                    throw new InvalidTokenError("Token client_id does not match the expected clientId");
+                }
+            }
+            else {
+                const aud = payload.aud;
+                const audValue = Array.isArray(aud) ? aud[0] : aud;
+                if (audValue !== this.clientId) {
+                    throw new InvalidTokenError("Token audience does not match the expected clientId");
+                }
+            }
+            const groups = payload["cognito:groups"] ?? [];
+            const user = {
+                user_id: payload.sub,
+                email: payload.email,
+                name: payload.name,
+                role: payload["custom:general_role"],
+                groups,
+                token_use: tokenUse,
+                exp: payload.exp,
+                iat: payload.iat,
+            };
+            return user;
+        }
+        catch (error) {
+            if (error instanceof InvalidTokenError ||
+                error instanceof MissingParameterError) {
+                throw error;
+            }
+            if (error instanceof joseErrors.JWTExpired) {
+                throw new TokenExpiredError();
+            }
+            if (error instanceof joseErrors.JWTInvalid) {
+                throw new InvalidTokenError("Invalid or malformed token");
             }
-            const requiredGroups = Array.isArray(this.requiredGroup)
-                ? this.requiredGroup
-                : [this.requiredGroup];
-            // Verifica se o usuário tem pelo menos um dos grupos obrigatórios
-            const hasRequiredGroup = requiredGroups.some((group) => userGroups.includes(group));
-            if (!hasRequiredGroup) {
-                throw new Error(`Usuário deve ser membro de um dos seguintes sistemas: ${requiredGroups.join(", ")}`);
+            if (error instanceof Error) {
+                if (error.message.includes("expired")) {
+                    throw new TokenExpiredError(error.message);
+                }
+                if (error.message.includes("signature") ||
+                    error.message.includes("invalid")) {
+                    throw new InvalidTokenError(error.message);
+                }
+                throw new InvalidTokenError(`Token verification failed: ${error.message}`);
             }
+            throw new InvalidTokenError("Token verification failed");
         }
-        // Mapear o payload do Cognito para o formato do GatesUser
-        const user = {
-            user_id: payload.sub,
-            email: payload.email,
-            name: payload.name,
-            role: payload["custom:general_role"],
-            exp: payload.exp,
-            iat: payload.iat,
-        };
-        return user;
     }
 }

package/dist/services/client-auth.d.ts

@@ -0,0 +1,22 @@
+export type ClientCredentialsConfig = {
+    domain: string;
+    clientId: string;
+    clientSecret: string;
+    scopes?: string[];
+};
+export type ClientToken = {
+    access_token: string;
+    expires_in: number;
+    token_type: string;
+};
+export declare class GatesClientAuth {
+    private readonly tokenEndpoint;
+    private readonly clientId;
+    private readonly clientSecret;
+    private readonly scopes;
+    private cachedToken;
+    constructor(config: ClientCredentialsConfig);
+    getAccessToken(): Promise<string>;
+    clearCache(): void;
+}
+//# sourceMappingURL=client-auth.d.ts.map

package/dist/services/client-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-auth.d.ts","sourceRoot":"","sources":["../../src/services/client-auth.ts"],"names":[],"mappings":"AAKA,MAAM,MAAM,uBAAuB,GAAG;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAW;IAClC,OAAO,CAAC,WAAW,CAAqD;gBAE5D,MAAM,EAAE,uBAAuB;IAkBrC,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC;IAiEvC,UAAU,IAAI,IAAI;CAGnB"}

package/dist/services/client-auth.js

@@ -0,0 +1,75 @@
+import { MissingParameterError, ClientCredentialsError, } from "../errors/error.js";
+export class GatesClientAuth {
+    tokenEndpoint;
+    clientId;
+    clientSecret;
+    scopes;
+    cachedToken = null;
+    constructor(config) {
+        if (!config.domain || config.domain.trim().length === 0) {
+            throw new MissingParameterError("domain");
+        }
+        if (!config.clientId || config.clientId.trim().length === 0) {
+            throw new MissingParameterError("clientId");
+        }
+        if (!config.clientSecret || config.clientSecret.trim().length === 0) {
+            throw new MissingParameterError("clientSecret");
+        }
+        const domain = config.domain.replace(/\/$/, "");
+        this.tokenEndpoint = `https://${domain}/oauth2/token`;
+        this.clientId = config.clientId;
+        this.clientSecret = config.clientSecret;
+        this.scopes = config.scopes ?? [];
+    }
+    async getAccessToken() {
+        if (this.cachedToken && Date.now() < this.cachedToken.expiresAt) {
+            return this.cachedToken.token;
+        }
+        const body = new URLSearchParams({
+            grant_type: "client_credentials",
+        });
+        if (this.scopes.length > 0) {
+            body.set("scope", this.scopes.join(" "));
+        }
+        const credentials = Buffer.from(`${this.clientId}:${this.clientSecret}`).toString("base64");
+        let response;
+        try {
+            response = await fetch(this.tokenEndpoint, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/x-www-form-urlencoded",
+                    Authorization: `Basic ${credentials}`,
+                },
+                body: body.toString(),
+            });
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Unknown network error";
+            throw new ClientCredentialsError(`Failed to reach token endpoint: ${message}`);
+        }
+        if (!response.ok) {
+            let detail;
+            try {
+                const errorBody = (await response.json());
+                detail = errorBody.error ?? response.statusText;
+            }
+            catch {
+                detail = response.statusText;
+            }
+            throw new ClientCredentialsError(`Token request failed (${response.status}): ${detail}`);
+        }
+        const data = (await response.json());
+        if (!data.access_token) {
+            throw new ClientCredentialsError("Token response missing access_token field");
+        }
+        const bufferMs = 30_000;
+        this.cachedToken = {
+            token: data.access_token,
+            expiresAt: Date.now() + data.expires_in * 1000 - bufferMs,
+        };
+        return data.access_token;
+    }
+    clearCache() {
+        this.cachedToken = null;
+    }
+}

package/dist/services/user-service.d.ts

@@ -27,9 +27,9 @@ export declare class GatesUserService {
     getAllUsers(idToken: string): Promise<UserListResponse>;
     /**
      * Busca um usuário específico por ID
-     * @param accessToken Token de autenticação
+     * @param idToken Token de autenticação
      * @returns Dados do usuário
      */
-    login(accessToken: string): Promise<UserProfile>;
+    getProfile(idToken: string): Promise<UserProfile>;
 }
 //# sourceMappingURL=user-service.d.ts.map

package/dist/services/user-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"user-service.d.ts","sourceRoot":"","sources":["../../src/services/user-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAoB,MAAM,sBAAsB,CAAC;AAErE,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,WAAW,EAAE,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAgBD,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAyB;gBAE5C,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAQ3C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAExB;IAEF;;;;;OAKG;IACG,WAAW,CACf,OAAO,EAAE,MAAM,GAEd,OAAO,CAAC,gBAAgB,CAAC;IAiD5B;;;;OAIG;IACG,KAAK,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;CA2CvD"}
+{"version":3,"file":"user-service.d.ts","sourceRoot":"","sources":["../../src/services/user-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAoB,MAAM,sBAAsB,CAAC;AAOrE,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,WAAW,EAAE,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAeD,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAyB;gBAE5C,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAQ3C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAExB;IAEF;;;;;OAKG;IACG,WAAW,CACf,OAAO,EAAE,MAAM,GAEd,OAAO,CAAC,gBAAgB,CAAC;IAqE5B;;;;OAIG;IACG,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;CAuExD"}