@intelicity/gates-sdk 0.1.6 → 0.2.0

package/dist/auth/middleware.js

@@ -1,40 +1,31 @@
-// // src/auth/middleware.ts
-// import type { FastifyRequest, FastifyReply } from "fastify";
-// import { verifyToken, type VerifyOptions } from "./verifier.js";
-// import {
-//   MissingAuthorizationError,
-//   InvalidTokenError,
-//   TokenExpiredError,
-// } from "../errors/error.js";
-// import type { GatesUser } from "../models/user.js";
-export {};
-// // Extend FastifyRequest to include user
-// declare module "fastify" {
-//   interface FastifyRequest {
-//     user?: GatesUser;
-//   }
-// }
-// export type GatesMiddlewareConfig = VerifyOptions;
-// /**
-//  * Fastify middleware to verify JWT tokens from AWS Cognito
-//  * @param config Configuration with region, userPoolId, and optional audience
-//  * @returns Fastify preHandler hook
-//  */
-// export function gatesMiddleware(config: GatesMiddlewareConfig) {
-//   return async (request: FastifyRequest, reply: FastifyReply) => {
-//     const authHeader = request.headers.authorization;
-//     if (!authHeader) {
-//       throw new MissingAuthorizationError();
-//     }
-//     const token = authHeader.replace(/^Bearer\s+/i, "");
-//     try {
-//       const user = await verifyToken(token, config);
-//       request.user = user;
-//     } catch (err) {
-//       if (err instanceof Error && err.message.includes("expired")) {
-//         throw new TokenExpiredError();
-//       }
-//       throw new InvalidTokenError();
-//     }
-//   };
-// }
+import { MissingAuthorizationError, UnauthorizedGroupError, } from "../errors/error.js";
+export function extractToken(authorizationHeader) {
+    if (!authorizationHeader) {
+        throw new MissingAuthorizationError();
+    }
+    const match = /^Bearer\s+(.+)$/i.exec(authorizationHeader);
+    if (!match) {
+        throw new MissingAuthorizationError("Authorization header must use Bearer scheme");
+    }
+    return match[1];
+}
+export async function authenticate(token, service) {
+    return service.verifyToken(token);
+}
+export function authorize(user, requiredGroups) {
+    const groups = Array.isArray(requiredGroups)
+        ? requiredGroups
+        : [requiredGroups];
+    const hasGroup = user.groups.some((g) => groups.includes(g));
+    if (!hasGroup) {
+        throw new UnauthorizedGroupError(`User must be a member of one of the following groups: ${groups.join(", ")}`, groups);
+    }
+}
+export async function handleAuth(authorizationHeader, config) {
+    const token = extractToken(authorizationHeader);
+    const user = await authenticate(token, config.service);
+    if (config.requiredGroups) {
+        authorize(user, config.requiredGroups);
+    }
+    return user;
+}

package/dist/errors/error.d.ts

@@ -1,69 +1,33 @@
-/**
- * Base error class for all Gates SDK errors
- */
 export declare class GatesError extends Error {
     readonly code?: string | undefined;
     constructor(message: string, code?: string | undefined);
 }
-/**
- * Base error class for authentication-related errors
- */
 export declare class AuthenticationError extends GatesError {
     constructor(message: string, code?: string);
 }
-/**
- * Error thrown when a token has expired
- */
 export declare class TokenExpiredError extends AuthenticationError {
     constructor(message?: string);
 }
-/**
- * Error thrown when a token is invalid
- */
 export declare class InvalidTokenError extends AuthenticationError {
     constructor(message?: string);
 }
-/**
- * Error thrown when authorization header is missing
- */
 export declare class MissingAuthorizationError extends AuthenticationError {
     constructor(message?: string);
 }
-/**
- * Error thrown when user is not a member of required group
- */
 export declare class UnauthorizedGroupError extends AuthenticationError {
     readonly requiredGroups: string[];
     constructor(message: string, requiredGroups: string[]);
 }
-/**
- * Base error class for API-related errors
- */
 export declare class ApiError extends GatesError {
     readonly statusCode?: number | undefined;
     constructor(message: string, statusCode?: number | undefined, code?: string);
 }
-/**
- * Error thrown when API request fails
- */
 export declare class ApiRequestError extends ApiError {
     constructor(message: string, statusCode?: number);
 }
-/**
- * Error thrown when API response is invalid
- */
-export declare class InvalidResponseError extends ApiError {
-    constructor(message?: string);
-}
-/**
- * Error thrown when a required parameter is missing
- */
 export declare class MissingParameterError extends GatesError {
     constructor(parameterName: string);
 }
-/**
- * Error thrown when a parameter has an invalid value
- */
 export declare class InvalidParameterError extends GatesError {
     constructor(parameterName: string, reason?: string);
 }

package/dist/errors/error.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"error.d.ts","sourceRoot":"","sources":["../../src/errors/error.ts"],"names":[],"mappings":"AAEA;;GAEG;AACH,qBAAa,UAAW,SAAQ,KAAK;aACU,IAAI,CAAC,EAAE,MAAM;gBAA9C,OAAO,EAAE,MAAM,EAAkB,IAAI,CAAC,EAAE,MAAM,YAAA;CAK3D;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,UAAU;gBACrC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM;CAK3C;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,mBAAmB;gBAC5C,OAAO,SAAmB;CAKvC;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,mBAAmB;gBAC5C,OAAO,SAAmB;CAKvC;AAED;;GAEG;AACH,qBAAa,yBAA0B,SAAQ,mBAAmB;gBACpD,OAAO,SAAwC;CAK5D;AAED;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,mBAAmB;aAChB,cAAc,EAAE,MAAM,EAAE;gBAAzD,OAAO,EAAE,MAAM,EAAkB,cAAc,EAAE,MAAM,EAAE;CAKtE;AAED;;GAEG;AACH,qBAAa,QAAS,SAAQ,UAAU;aAGpB,UAAU,CAAC,EAAE,MAAM;gBADnC,OAAO,EAAE,MAAM,EACC,UAAU,CAAC,EAAE,MAAM,YAAA,EACnC,IAAI,CAAC,EAAE,MAAM;CAMhB;AAED;;GAEG;AACH,qBAAa,eAAgB,SAAQ,QAAQ;gBAC/B,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM;CAKjD;AAED;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,QAAQ;gBACpC,OAAO,SAAwC;CAK5D;AAED;;GAEG;AACH,qBAAa,qBAAsB,SAAQ,UAAU;gBACvC,aAAa,EAAE,MAAM;CAQlC;AAED;;GAEG;AACH,qBAAa,qBAAsB,SAAQ,UAAU;gBACvC,aAAa,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM;CAQnD"}
+{"version":3,"file":"error.d.ts","sourceRoot":"","sources":["../../src/errors/error.ts"],"names":[],"mappings":"AAAA,qBAAa,UAAW,SAAQ,KAAK;aACU,IAAI,CAAC,EAAE,MAAM;gBAA9C,OAAO,EAAE,MAAM,EAAkB,IAAI,CAAC,EAAE,MAAM,YAAA;CAK3D;AAED,qBAAa,mBAAoB,SAAQ,UAAU;gBACrC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM;CAK3C;AAED,qBAAa,iBAAkB,SAAQ,mBAAmB;gBAC5C,OAAO,SAAsB;CAK1C;AAED,qBAAa,iBAAkB,SAAQ,mBAAmB;gBAC5C,OAAO,SAAkB;CAKtC;AAED,qBAAa,yBAA0B,SAAQ,mBAAmB;gBACpD,OAAO,SAAoC;CAKxD;AAED,qBAAa,sBAAuB,SAAQ,mBAAmB;aAChB,cAAc,EAAE,MAAM,EAAE;gBAAzD,OAAO,EAAE,MAAM,EAAkB,cAAc,EAAE,MAAM,EAAE;CAKtE;AAED,qBAAa,QAAS,SAAQ,UAAU;aAGpB,UAAU,CAAC,EAAE,MAAM;gBADnC,OAAO,EAAE,MAAM,EACC,UAAU,CAAC,EAAE,MAAM,YAAA,EACnC,IAAI,CAAC,EAAE,MAAM;CAMhB;AAED,qBAAa,eAAgB,SAAQ,QAAQ;gBAC/B,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM;CAKjD;AAED,qBAAa,qBAAsB,SAAQ,UAAU;gBACvC,aAAa,EAAE,MAAM;CAKlC;AAED,qBAAa,qBAAsB,SAAQ,UAAU;gBACvC,aAAa,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM;CAQnD"}

package/dist/errors/error.js

@@ -1,7 +1,3 @@
-// src/errors/error.ts
-/**
- * Base error class for all Gates SDK errors
- */
 export class GatesError extends Error {
     code;
     constructor(message, code) {
@@ -11,9 +7,6 @@ export class GatesError extends Error {
         Object.setPrototypeOf(this, GatesError.prototype);
     }
 }
-/**
- * Base error class for authentication-related errors
- */
 export class AuthenticationError extends GatesError {
     constructor(message, code) {
         super(message, code);
@@ -21,39 +14,27 @@ export class AuthenticationError extends GatesError {
         Object.setPrototypeOf(this, AuthenticationError.prototype);
     }
 }
-/**
- * Error thrown when a token has expired
- */
 export class TokenExpiredError extends AuthenticationError {
-    constructor(message = "Token expirado") {
+    constructor(message = "Token has expired") {
         super(message, "TOKEN_EXPIRED");
         this.name = "TokenExpiredError";
         Object.setPrototypeOf(this, TokenExpiredError.prototype);
     }
 }
-/**
- * Error thrown when a token is invalid
- */
 export class InvalidTokenError extends AuthenticationError {
-    constructor(message = "Token inválido") {
+    constructor(message = "Invalid token") {
         super(message, "INVALID_TOKEN");
         this.name = "InvalidTokenError";
         Object.setPrototypeOf(this, InvalidTokenError.prototype);
     }
 }
-/**
- * Error thrown when authorization header is missing
- */
 export class MissingAuthorizationError extends AuthenticationError {
-    constructor(message = "Header de autorização não fornecido") {
+    constructor(message = "Authorization header is missing") {
         super(message, "MISSING_AUTHORIZATION");
         this.name = "MissingAuthorizationError";
         Object.setPrototypeOf(this, MissingAuthorizationError.prototype);
     }
 }
-/**
- * Error thrown when user is not a member of required group
- */
 export class UnauthorizedGroupError extends AuthenticationError {
     requiredGroups;
     constructor(message, requiredGroups) {
@@ -63,9 +44,6 @@ export class UnauthorizedGroupError extends AuthenticationError {
         Object.setPrototypeOf(this, UnauthorizedGroupError.prototype);
     }
 }
-/**
- * Base error class for API-related errors
- */
 export class ApiError extends GatesError {
     statusCode;
     constructor(message, statusCode, code) {
@@ -75,9 +53,6 @@ export class ApiError extends GatesError {
         Object.setPrototypeOf(this, ApiError.prototype);
     }
 }
-/**
- * Error thrown when API request fails
- */
 export class ApiRequestError extends ApiError {
     constructor(message, statusCode) {
         super(message, statusCode, "API_REQUEST_ERROR");
@@ -85,34 +60,18 @@ export class ApiRequestError extends ApiError {
         Object.setPrototypeOf(this, ApiRequestError.prototype);
     }
 }
-/**
- * Error thrown when API response is invalid
- */
-export class InvalidResponseError extends ApiError {
-    constructor(message = "Formato de resposta da API inválido") {
-        super(message, undefined, "INVALID_RESPONSE");
-        this.name = "InvalidResponseError";
-        Object.setPrototypeOf(this, InvalidResponseError.prototype);
-    }
-}
-/**
- * Error thrown when a required parameter is missing
- */
 export class MissingParameterError extends GatesError {
     constructor(parameterName) {
-        super(`Parâmetro obrigatório ausente: ${parameterName}`, "MISSING_PARAMETER");
+        super(`Missing required parameter: ${parameterName}`, "MISSING_PARAMETER");
         this.name = "MissingParameterError";
         Object.setPrototypeOf(this, MissingParameterError.prototype);
     }
 }
-/**
- * Error thrown when a parameter has an invalid value
- */
 export class InvalidParameterError extends GatesError {
     constructor(parameterName, reason) {
         const message = reason
-            ? `Parâmetro '${parameterName}' inválido: ${reason}`
-            : `Parâmetro inválido: ${parameterName}`;
+            ? `Invalid parameter '${parameterName}': ${reason}`
+            : `Invalid parameter: ${parameterName}`;
         super(message, "INVALID_PARAMETER");
         this.name = "InvalidParameterError";
         Object.setPrototypeOf(this, InvalidParameterError.prototype);

package/dist/index.d.ts

@@ -1,6 +1,6 @@
-export type { GatesUser as GatesUser } from "./models/user.js";
-export type { UserProfile as Profile, ProfileAttribute, } from "./models/profile.js";
-export { GatesUserService as UserService, type UserListResponse, type GetAllUsersOptions, } from "./services/user-service.js";
-export { GatesAuthService as AuthService, type VerifyOptions, } from "./services/auth-service.js";
-export { GatesError, AuthenticationError, TokenExpiredError, InvalidTokenError, MissingAuthorizationError, UnauthorizedGroupError, ApiError, ApiRequestError, InvalidResponseError, MissingParameterError, InvalidParameterError, } from "./errors/error.js";
+export type { GatesUser, GatesRole } from "./models/user.js";
+export { AuthService, type VerifyOptions } from "./services/auth-service.js";
+export { GatesAdminService, type GatesAdminConfig, type CreateUserParams, type CreateUserResponse, type UpdateUserParams, } from "./services/admin-service.js";
+export { extractToken, authenticate, authorize, handleAuth, type AuthHandlerConfig, } from "./auth/middleware.js";
+export { GatesError, AuthenticationError, TokenExpiredError, InvalidTokenError, MissingAuthorizationError, UnauthorizedGroupError, ApiError, ApiRequestError, MissingParameterError, InvalidParameterError, } from "./errors/error.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,YAAY,EAAE,SAAS,IAAI,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC/D,YAAY,EACV,WAAW,IAAI,OAAO,EACtB,gBAAgB,GACjB,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,gBAAgB,IAAI,WAAW,EAC/B,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,GACxB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,gBAAgB,IAAI,WAAW,EAC/B,KAAK,aAAa,GACnB,MAAM,4BAA4B,CAAC;AAGpC,OAAO,EAEL,UAAU,EAGV,mBAAmB,EACnB,iBAAiB,EACjB,iBAAiB,EACjB,yBAAyB,EACzB,sBAAsB,EAGtB,QAAQ,EACR,eAAe,EACf,oBAAoB,EAGpB,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAG7D,OAAO,EAAE,WAAW,EAAE,KAAK,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAE7E,OAAO,EACL,iBAAiB,EACjB,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,GACtB,MAAM,6BAA6B,CAAC;AAGrC,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,SAAS,EACT,UAAU,EACV,KAAK,iBAAiB,GACvB,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EACL,UAAU,EACV,mBAAmB,EACnB,iBAAiB,EACjB,iBAAiB,EACjB,yBAAyB,EACzB,sBAAsB,EACtB,QAAQ,EACR,eAAe,EACf,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,mBAAmB,CAAC"}

package/dist/index.js

@@ -1,14 +1,7 @@
-// Main exports for Gates SDK
 // Services
-export { GatesUserService as UserService, } from "./services/user-service.js";
-export { GatesAuthService as AuthService, } from "./services/auth-service.js";
+export { AuthService } from "./services/auth-service.js";
+export { GatesAdminService, } from "./services/admin-service.js";
+// Middleware
+export { extractToken, authenticate, authorize, handleAuth, } from "./auth/middleware.js";
 // Errors
-export { 
-// Base errors
-GatesError, 
-// Authentication errors
-AuthenticationError, TokenExpiredError, InvalidTokenError, MissingAuthorizationError, UnauthorizedGroupError, 
-// API errors
-ApiError, ApiRequestError, InvalidResponseError, 
-// Parameter errors
-MissingParameterError, InvalidParameterError, } from "./errors/error.js";
+export { GatesError, AuthenticationError, TokenExpiredError, InvalidTokenError, MissingAuthorizationError, UnauthorizedGroupError, ApiError, ApiRequestError, MissingParameterError, InvalidParameterError, } from "./errors/error.js";

package/dist/models/user.d.ts

@@ -1,12 +1,11 @@
-/**
- * Tipagem base do payload que sai do Cognito.
- * Você pode estender com claims próprias (ex.: permissions, system_access).
- */
+export type GatesRole = "INTERNAL_ADMIN" | "INTERNAL_USER" | "CLIENT_ADMIN" | "CLIENT_USER";
 export type GatesUser = {
     user_id: string;
-    email: string;
-    name: string;
-    role: string;
+    email?: string;
+    name?: string;
+    role?: string;
+    groups: string[];
+    token_use: "access" | "id";
     exp: number;
     iat: number;
 };

package/dist/models/user.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../src/models/user.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,MAAM,SAAS,GAAG;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb,CAAC"}
+{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../src/models/user.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,SAAS,GACjB,gBAAgB,GAChB,eAAe,GACf,cAAc,GACd,aAAa,CAAC;AAElB,MAAM,MAAM,SAAS,GAAG;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,SAAS,EAAE,QAAQ,GAAG,IAAI,CAAC;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb,CAAC"}

package/dist/services/admin-service.d.ts

@@ -0,0 +1,26 @@
+import { GatesRole } from "../models/user.js";
+export type GatesAdminConfig = {
+    baseUrl: string;
+};
+export type CreateUserParams = {
+    email: string;
+    name: string;
+    role: GatesRole;
+    client: string;
+};
+export type CreateUserResponse = {
+    sub: string;
+};
+export type UpdateUserParams = {
+    user_id: string;
+    clients_to_add?: string[];
+    clients_to_remove?: string[];
+};
+export declare class GatesAdminService {
+    private readonly baseUrl;
+    constructor(config: GatesAdminConfig);
+    createUser(idToken: string, params: CreateUserParams): Promise<CreateUserResponse>;
+    updateUser(idToken: string, params: UpdateUserParams): Promise<void>;
+    private request;
+}
+//# sourceMappingURL=admin-service.d.ts.map

package/dist/services/admin-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-service.d.ts","sourceRoot":"","sources":["../../src/services/admin-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAO9C,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC9B,CAAC;AASF,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;gBAErB,MAAM,EAAE,gBAAgB;IAO9B,UAAU,CACd,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,kBAAkB,CAAC;IAgDxB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC;YAgB5D,OAAO;CAmCtB"}

package/dist/services/admin-service.js

@@ -0,0 +1,92 @@
+import { MissingParameterError, InvalidParameterError, ApiRequestError, } from "../errors/error.js";
+const VALID_ROLES = [
+    "INTERNAL_ADMIN",
+    "INTERNAL_USER",
+    "CLIENT_ADMIN",
+    "CLIENT_USER",
+];
+export class GatesAdminService {
+    baseUrl;
+    constructor(config) {
+        if (!config.baseUrl || config.baseUrl.trim().length === 0) {
+            throw new MissingParameterError("baseUrl");
+        }
+        this.baseUrl = config.baseUrl.replace(/\/$/, "");
+    }
+    async createUser(idToken, params) {
+        if (!idToken) {
+            throw new MissingParameterError("idToken");
+        }
+        if (!params.email || params.email.trim().length === 0) {
+            throw new MissingParameterError("email");
+        }
+        if (!params.name || params.name.trim().length === 0) {
+            throw new MissingParameterError("name");
+        }
+        if (!params.role) {
+            throw new MissingParameterError("role");
+        }
+        if (!VALID_ROLES.includes(params.role)) {
+            throw new InvalidParameterError("role", `must be one of: ${VALID_ROLES.join(", ")}`);
+        }
+        if (!params.client || params.client.trim().length === 0) {
+            throw new MissingParameterError("client");
+        }
+        const response = await this.request("POST", "/create-user", idToken, {
+            email: params.email,
+            name: params.name,
+            role: params.role,
+        });
+        const data = (await response.json());
+        if (!data.sub) {
+            throw new ApiRequestError("Response missing 'sub' field");
+        }
+        await this.updateUser(idToken, {
+            user_id: data.sub,
+            clients_to_add: [params.client],
+        });
+        return data;
+    }
+    async updateUser(idToken, params) {
+        if (!idToken) {
+            throw new MissingParameterError("idToken");
+        }
+        if (!params.user_id || params.user_id.trim().length === 0) {
+            throw new MissingParameterError("user_id");
+        }
+        await this.request("PUT", "/update-user", idToken, {
+            user_id: params.user_id,
+            clients_to_add: params.clients_to_add,
+            clients_to_remove: params.clients_to_remove,
+        });
+    }
+    async request(method, path, idToken, body) {
+        let response;
+        try {
+            response = await fetch(`${this.baseUrl}${path}`, {
+                method,
+                headers: {
+                    "Content-Type": "application/json",
+                    Authorization: `Bearer ${idToken}`,
+                },
+                body: JSON.stringify(body),
+            });
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Unknown network error";
+            throw new ApiRequestError(`Failed to reach Gates API: ${message}`);
+        }
+        if (!response.ok) {
+            let detail;
+            try {
+                const errorBody = (await response.json());
+                detail = errorBody.message ?? response.statusText;
+            }
+            catch {
+                detail = response.statusText;
+            }
+            throw new ApiRequestError(`Gates API error: ${detail}`, response.status);
+        }
+        return response;
+    }
+}

package/dist/services/auth-service.d.ts

@@ -2,17 +2,14 @@ import { GatesUser } from "../models/user.js";
 export type VerifyOptions = {
     region: string;
     userPoolId: string;
-    audience: string;
-    requiredGroup?: string | string[];
+    clientId: string;
 };
-export declare class GatesAuthService {
+export declare class AuthService {
     private readonly region;
     private readonly userPoolId;
-    private readonly audience;
-    private readonly requiredGroup?;
-    constructor(region: string, userPoolId: string, audience: string, requiredGroup?: string | string[]);
+    private readonly clientId;
+    constructor(region: string, userPoolId: string, clientId: string);
     private get issuer();
-    isMemberOf(groups?: string[]): boolean;
     verifyToken(token: string): Promise<GatesUser>;
 }
 //# sourceMappingURL=auth-service.d.ts.map

package/dist/services/auth-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-service.d.ts","sourceRoot":"","sources":["../../src/services/auth-service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAS9C,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CACnC,CAAC;AAEF,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAoB;gBAGjD,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,aAAa,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE;IAoCnC,OAAO,KAAK,MAAM,GAEjB;IAED,UAAU,CAAC,MAAM,GAAE,MAAM,EAAO,GAAG,OAAO;IAgBpC,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CA0FrD"}
+{"version":3,"file":"auth-service.d.ts","sourceRoot":"","sources":["../../src/services/auth-service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAQ9C,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM;IAiChE,OAAO,KAAK,MAAM,GAEjB;IAEK,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CAqFrD"}

package/dist/services/auth-service.js

@@ -1,12 +1,11 @@
 import { jwtVerify, errors as joseErrors } from "jose";
 import { getJwks } from "../cache/jwks-cache.js";
-import { InvalidParameterError, MissingParameterError, TokenExpiredError, InvalidTokenError, UnauthorizedGroupError, } from "../errors/error.js";
-export class GatesAuthService {
+import { InvalidParameterError, MissingParameterError, TokenExpiredError, InvalidTokenError, } from "../errors/error.js";
+export class AuthService {
     region;
     userPoolId;
-    audience;
-    requiredGroup;
-    constructor(region, userPoolId, audience, requiredGroup) {
+    clientId;
+    constructor(region, userPoolId, clientId) {
         if (!region || typeof region !== "string" || region.trim().length === 0) {
             throw new MissingParameterError("region");
         }
@@ -15,35 +14,21 @@ export class GatesAuthService {
             userPoolId.trim().length === 0) {
             throw new MissingParameterError("userPoolId");
         }
-        if (!audience ||
-            typeof audience !== "string" ||
-            audience.trim().length === 0) {
-            throw new MissingParameterError("audience");
+        if (!clientId ||
+            typeof clientId !== "string" ||
+            clientId.trim().length === 0) {
+            throw new MissingParameterError("clientId");
         }
-        // Validar formato do userPoolId (deve seguir padrão AWS)
         if (!/^[a-zA-Z0-9_-]+$/.test(userPoolId)) {
-            throw new InvalidParameterError("userPoolId", "deve seguir o formato AWS (apenas alfanuméricos, hífens e underscores)");
+            throw new InvalidParameterError("userPoolId", "must follow AWS format (alphanumeric, hyphens, and underscores only)");
         }
         this.region = region;
         this.userPoolId = userPoolId;
-        this.audience = audience;
-        this.requiredGroup = requiredGroup;
+        this.clientId = clientId;
     }
     get issuer() {
         return `https://cognito-idp.${this.region}.amazonaws.com/${this.userPoolId}`;
     }
-    isMemberOf(groups = []) {
-        if (!Array.isArray(groups)) {
-            return false;
-        }
-        if (!this.requiredGroup) {
-            return true;
-        }
-        const requiredGroups = Array.isArray(this.requiredGroup)
-            ? this.requiredGroup
-            : [this.requiredGroup];
-        return groups.some((g) => requiredGroups.includes(g));
-    }
     async verifyToken(token) {
         if (!token) {
             throw new MissingParameterError("token");
@@ -52,47 +37,48 @@ export class GatesAuthService {
             const jwks = getJwks(this.region, this.userPoolId);
             const { payload } = await jwtVerify(token, jwks, {
                 issuer: this.issuer,
-                audience: this.audience,
             });
-            if (this.requiredGroup) {
-                const userGroups = payload["cognito:groups"];
-                const requiredGroups = Array.isArray(this.requiredGroup)
-                    ? this.requiredGroup
-                    : [this.requiredGroup];
-                if (!userGroups || !Array.isArray(userGroups)) {
-                    throw new UnauthorizedGroupError("Usuário não pertence a nenhum grupo obrigatório", requiredGroups);
+            const tokenUse = payload.token_use;
+            if (tokenUse !== "access" && tokenUse !== "id") {
+                throw new InvalidTokenError(`Unsupported token_use: expected "access" or "id", got "${tokenUse}"`);
+            }
+            if (tokenUse === "access") {
+                const clientId = payload.client_id;
+                if (clientId !== this.clientId) {
+                    throw new InvalidTokenError("Token client_id does not match the expected clientId");
                 }
-                // Verifica se o usuário tem pelo menos um dos grupos obrigatórios
-                const hasRequiredGroup = requiredGroups.some((group) => userGroups.includes(group));
-                if (!hasRequiredGroup) {
-                    throw new UnauthorizedGroupError(`Usuário deve ser membro de um dos seguintes grupos: ${requiredGroups.join(", ")}`, requiredGroups);
+            }
+            else {
+                const aud = payload.aud;
+                const audValue = Array.isArray(aud) ? aud[0] : aud;
+                if (audValue !== this.clientId) {
+                    throw new InvalidTokenError("Token audience does not match the expected clientId");
                 }
             }
-            // Mapear o payload do Cognito para o formato do GatesUser
+            const groups = payload["cognito:groups"] ?? [];
             const user = {
                 user_id: payload.sub,
                 email: payload.email,
                 name: payload.name,
                 role: payload["custom:general_role"],
+                groups,
+                token_use: tokenUse,
                 exp: payload.exp,
                 iat: payload.iat,
             };
             return user;
         }
         catch (error) {
-            // Re-throw known errors
-            if (error instanceof UnauthorizedGroupError ||
+            if (error instanceof InvalidTokenError ||
                 error instanceof MissingParameterError) {
                 throw error;
             }
-            // Handle jose-specific errors
             if (error instanceof joseErrors.JWTExpired) {
-                throw new TokenExpiredError("Token expirado");
+                throw new TokenExpiredError();
             }
             if (error instanceof joseErrors.JWTInvalid) {
-                throw new InvalidTokenError("Token inválido ou malformado");
+                throw new InvalidTokenError("Invalid or malformed token");
             }
-            // Handle other jose errors
             if (error instanceof Error) {
                 if (error.message.includes("expired")) {
                     throw new TokenExpiredError(error.message);
@@ -101,9 +87,9 @@ export class GatesAuthService {
                     error.message.includes("invalid")) {
                     throw new InvalidTokenError(error.message);
                 }
-                throw new InvalidTokenError(`Falha na verificação do token: ${error.message}`);
+                throw new InvalidTokenError(`Token verification failed: ${error.message}`);
             }
-            throw new InvalidTokenError("Falha na verificação do token");
+            throw new InvalidTokenError("Token verification failed");
         }
     }
 }

package/dist/services/client-auth.d.ts

@@ -0,0 +1,22 @@
+export type ClientCredentialsConfig = {
+    domain: string;
+    clientId: string;
+    clientSecret: string;
+    scopes?: string[];
+};
+export type ClientToken = {
+    access_token: string;
+    expires_in: number;
+    token_type: string;
+};
+export declare class GatesClientAuth {
+    private readonly tokenEndpoint;
+    private readonly clientId;
+    private readonly clientSecret;
+    private readonly scopes;
+    private cachedToken;
+    constructor(config: ClientCredentialsConfig);
+    getAccessToken(): Promise<string>;
+    clearCache(): void;
+}
+//# sourceMappingURL=client-auth.d.ts.map