@iqauth/sdk 2.0.0

package/dist/next.mjs

@@ -0,0 +1,130 @@
+import {
+  handleCallback,
+  handleRefresh,
+  handleSignout,
+  serializeCookie
+} from "./chunk-5HF3OBNO.mjs";
+import {
+  parsePublishableKey
+} from "./chunk-5WFR6Y33.mjs";
+import {
+  IQAuthClient
+} from "./chunk-JQWYIIIS.mjs";
+import "./chunk-6I6RM4MN.mjs";
+import "./chunk-Y6FXYEAI.mjs";
+
+// src/next.ts
+function readCookieFromHeader(header, name) {
+  if (!header) return void 0;
+  const target = `${name}=`;
+  for (const seg of header.split(";")) {
+    const t = seg.trim();
+    if (t.startsWith(target)) {
+      try {
+        return decodeURIComponent(t.slice(target.length));
+      } catch {
+        return t.slice(target.length);
+      }
+    }
+  }
+  return void 0;
+}
+function toResponse(hr) {
+  const headers = new Headers({ "Content-Type": "application/json" });
+  for (const c of hr.cookies) headers.append("set-cookie", serializeCookie(c));
+  return new Response(JSON.stringify(hr.body), { status: hr.status, headers });
+}
+function handler(options) {
+  const parsed = parsePublishableKey(options.publishableKey);
+  if (!parsed) throw new Error("@iqauth/sdk/next: invalid publishable key");
+  const issuer = (options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
+  const helperConfig = { ...options, issuer };
+  const accessCookie = options.accessCookieName ?? "iqauth_at";
+  const refreshCookie = options.refreshCookieName ?? "iqauth_rt";
+  return async (req) => {
+    const url = new URL(req.url);
+    const action = url.pathname.split("/").pop();
+    const body = await req.json().catch(() => ({}));
+    const cookieHeader = req.headers.get("cookie");
+    if (action === "callback") {
+      return toResponse(await handleCallback(helperConfig, {
+        code: body.code,
+        codeVerifier: body.codeVerifier,
+        redirectUri: body.redirectUri
+      }));
+    }
+    if (action === "refresh") {
+      const refreshToken = body.refreshToken || readCookieFromHeader(cookieHeader, refreshCookie);
+      return toResponse(await handleRefresh(helperConfig, { refreshToken }));
+    }
+    if (action === "signout") {
+      const auth = req.headers.get("authorization");
+      const accessToken = auth && auth.replace(/^Bearer /i, "") || readCookieFromHeader(cookieHeader, accessCookie);
+      return toResponse(await handleSignout(helperConfig, { accessToken }));
+    }
+    return new Response(JSON.stringify({ success: false, error: { code: "NOT_FOUND", message: `Unknown action: ${action}` } }), {
+      status: 404,
+      headers: { "Content-Type": "application/json" }
+    });
+  };
+}
+function createMiddleware(options) {
+  const parsed = parsePublishableKey(options.publishableKey);
+  if (!parsed) throw new Error("@iqauth/sdk/next: invalid publishable key");
+  const issuer = (options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
+  const accessCookie = options.accessCookieName ?? "iqauth_at";
+  const client = new IQAuthClient({ baseUrl: issuer, environment: "server" });
+  return async (req) => {
+    const auth = req.headers.get("authorization");
+    let token;
+    if (auth && auth.startsWith("Bearer ")) token = auth.slice(7);
+    if (!token) token = readCookieFromHeader(req.headers.get("cookie"), accessCookie);
+    if (!token) {
+      return new Response(JSON.stringify({ success: false, error: { code: "TOKEN_INVALID", message: "Missing access token" } }), {
+        status: 401,
+        headers: { "Content-Type": "application/json" }
+      });
+    }
+    try {
+      await client.tokens.verify(token);
+      return void 0;
+    } catch (err) {
+      const code = err.code || "TOKEN_INVALID";
+      return new Response(JSON.stringify({ success: false, error: { code, message: "Authentication failed" } }), {
+        status: 401,
+        headers: { "Content-Type": "application/json" }
+      });
+    }
+  };
+}
+async function getAuth(options) {
+  const parsed = parsePublishableKey(options.publishableKey);
+  if (!parsed) throw new Error("@iqauth/sdk/next: invalid publishable key");
+  const issuer = (options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
+  const accessCookie = options.accessCookieName ?? "iqauth_at";
+  let cookieJar = null;
+  try {
+    const specifier = ["next", "headers"].join("/");
+    const mod = await import(
+      /* @vite-ignore */
+      /* webpackIgnore: true */
+      specifier
+    );
+    cookieJar = mod.cookies ? mod.cookies() : null;
+  } catch {
+    cookieJar = null;
+  }
+  const token = cookieJar?.get(accessCookie)?.value;
+  if (!token) return null;
+  const client = new IQAuthClient({ baseUrl: issuer, environment: "server" });
+  try {
+    return await client.tokens.verify(token);
+  } catch {
+    return null;
+  }
+}
+export {
+  createMiddleware,
+  getAuth,
+  handler
+};

package/dist/publishableKey-B5DIK81A.d.mts

@@ -0,0 +1,24 @@
+/**
+ * Publishable key codec — browser-safe, no Node deps.
+ *
+ * Format: pk_<env>_<base64url(JSON{iss,appId,tenantId,kid})>
+ *
+ * Mirrors the server-side codec at src/lib/publishableKey.ts. Keep in sync.
+ */
+type KeyMode = "test" | "live";
+interface PublishableKeyPayload {
+    iss: string;
+    appId: string;
+    tenantId: string;
+    kid: string;
+}
+interface ParsedPublishableKey extends PublishableKeyPayload {
+    mode: KeyMode;
+    raw: string;
+}
+declare function encodePublishableKey(mode: KeyMode, payload: PublishableKeyPayload): string;
+declare function parsePublishableKey(raw: string): ParsedPublishableKey | null;
+declare function isPublishableKey(raw: string): boolean;
+declare function isSecretKey(raw: string): boolean;
+
+export { type KeyMode as K, type PublishableKeyPayload as P, isSecretKey as a, type ParsedPublishableKey as b, encodePublishableKey as e, isPublishableKey as i, parsePublishableKey as p };

package/dist/publishableKey-B5DIK81A.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Publishable key codec — browser-safe, no Node deps.
+ *
+ * Format: pk_<env>_<base64url(JSON{iss,appId,tenantId,kid})>
+ *
+ * Mirrors the server-side codec at src/lib/publishableKey.ts. Keep in sync.
+ */
+type KeyMode = "test" | "live";
+interface PublishableKeyPayload {
+    iss: string;
+    appId: string;
+    tenantId: string;
+    kid: string;
+}
+interface ParsedPublishableKey extends PublishableKeyPayload {
+    mode: KeyMode;
+    raw: string;
+}
+declare function encodePublishableKey(mode: KeyMode, payload: PublishableKeyPayload): string;
+declare function parsePublishableKey(raw: string): ParsedPublishableKey | null;
+declare function isPublishableKey(raw: string): boolean;
+declare function isSecretKey(raw: string): boolean;
+
+export { type KeyMode as K, type PublishableKeyPayload as P, isSecretKey as a, type ParsedPublishableKey as b, encodePublishableKey as e, isPublishableKey as i, parsePublishableKey as p };

package/dist/react.d.mts

@@ -0,0 +1,196 @@
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import * as React from 'react';
+import { ReactNode } from 'react';
+import { S as SessionManager, a as SessionSnapshot, b as SignInOptions, c as SignOutOptions, C as CallbackResult } from './signIn-C8f6qVjD.mjs';
+import { d as SessionUser, J as JwtClaims } from './types-Cxl3bQHt.mjs';
+import './publishableKey-B5DIK81A.mjs';
+
+interface IQAuthContextValue {
+    manager: SessionManager;
+    snapshot: SessionSnapshot;
+}
+interface IQAuthProviderProps {
+    publishableKey: string;
+    /** Override the IQAuth issuer URL. Inferred from the key by default. */
+    issuer?: string;
+    /** Disable cross-tab broadcast (rarely useful; primarily for tests). */
+    channelName?: string;
+    /** Disable proactive ~60s-before-expiry refresh. */
+    proactiveRefresh?: boolean;
+    /** Optional pre-built manager (advanced; tests). */
+    manager?: SessionManager;
+    children?: ReactNode;
+}
+/**
+ * Boots the IQAuth browser SDK from a single publishable key. Provides the
+ * session context to all hooks and gating components below it. Strict-mode
+ * safe — a single SessionManager instance is created per provider and reused
+ * across remounts.
+ */
+declare function IQAuthProvider({ publishableKey, issuer, channelName, proactiveRefresh, manager: externalManager, children, }: IQAuthProviderProps): React.FunctionComponentElement<React.ProviderProps<IQAuthContextValue | null>>;
+interface SessionError {
+    code: string;
+    message: string;
+}
+interface UseUserResult {
+    isLoaded: boolean;
+    isSignedIn: boolean;
+    user: SessionUser | null;
+    error: SessionError | null;
+}
+declare function useUser(): UseUserResult;
+interface UseSessionResult {
+    isLoaded: boolean;
+    isSignedIn: boolean;
+    claims: JwtClaims | null;
+    accessToken: string | null;
+    error: SessionError | null;
+}
+declare function useSession(): UseSessionResult;
+interface UseAuthResult {
+    isLoaded: boolean;
+    isSignedIn: boolean;
+    userId: string | null;
+    tenantId: string | null;
+    error: SessionError | null;
+    signIn: (opts?: SignInOptions) => Promise<void>;
+    signOut: (opts?: SignOutOptions) => Promise<void>;
+    redirectToSignIn: (opts?: SignInOptions) => Promise<void>;
+    getToken: () => Promise<string | null>;
+    fetch: (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+}
+declare function useAuth(): UseAuthResult;
+interface UseOrganizationResult {
+    isLoaded: boolean;
+    organization: {
+        id: string;
+        tenantId: string;
+    } | null;
+    error: SessionError | null;
+}
+/**
+ * In IQAuth a "tenant" is the closest analog to Clerk's organization. This
+ * hook returns the tenant the active session is scoped to.
+ */
+declare function useOrganization(): UseOrganizationResult;
+/**
+ * Returns a fetch-like function that auto-attaches the access token and
+ * coordinates refresh. Identical to `useAuth().fetch` but exposed as its own
+ * hook for ergonomic destructuring.
+ */
+declare function useAuthFetch(): (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+declare function SignedIn({ children }: {
+    children?: ReactNode;
+}): React.FunctionComponentElement<{
+    children?: ReactNode | undefined;
+}> | null;
+declare function SignedOut({ children }: {
+    children?: ReactNode;
+}): React.FunctionComponentElement<{
+    children?: ReactNode | undefined;
+}> | null;
+interface RedirectToSignInProps extends SignInOptions {
+}
+declare function RedirectToSignIn(props?: RedirectToSignInProps): null;
+/**
+ * Drop-in callback route. Mount at the path you registered as your
+ * `redirect_uri` (e.g. `/auth/callback`) and the SDK will exchange the code
+ * and navigate to the original `return_to`.
+ */
+interface AuthCallbackProps {
+    /** Override the default `window.location.replace` navigation. */
+    onComplete?: (result: CallbackResult) => void;
+    /** Render while the exchange is in flight. */
+    fallback?: ReactNode;
+}
+declare function AuthCallback({ onComplete, fallback }?: AuthCallbackProps): React.FunctionComponentElement<{
+    children?: ReactNode | undefined;
+}>;
+interface IQAuthBranding {
+    brandName: string | null;
+    logoUrl: string | null;
+    loginHeadline: string | null;
+    loginSubheadline: string | null;
+    primaryColor: string | null;
+    accentColor: string | null;
+    backgroundColor: string | null;
+    surfaceColor: string | null;
+    textColor: string | null;
+    supportEmail?: string | null;
+    supportUrl?: string | null;
+    termsUrl?: string | null;
+    privacyUrl?: string | null;
+}
+interface IQAuthSignInContext {
+    app: {
+        id: string;
+        key: string;
+        name: string;
+        tenantId: string | null;
+        mode: string;
+        defaultClientId: string | null;
+    };
+    providers?: {
+        google?: boolean;
+    };
+    allowedOrigins: string[];
+    returnAllowed: boolean;
+    branding: IQAuthBranding | null;
+}
+interface SharedComponentProps {
+    /** Base URL of the IQAuth service (e.g. https://auth.dispositioniq.com). */
+    iqAuthBaseUrl: string;
+    /** App key registered via Phase A's POST /api/v1/apps. */
+    appKey: string;
+    /** Optional className for the outer wrapper. */
+    className?: string;
+}
+/**
+ * Hook that loads the public sign-in context for an app (branding + allowed origins).
+ */
+declare function useIQAuthSignInContext(iqAuthBaseUrl: string, appKey: string, returnTo: string): {
+    ctx: IQAuthSignInContext | null;
+    loading: boolean;
+    error: string | null;
+};
+interface SignInProps extends SharedComponentProps {
+    /** URL the IQAuth backend should redirect back to with `?code=...`. Must be in the app's allowed_origins. */
+    returnTo: string;
+    /** Called after successful redirect. By default, `window.location.href = url`. */
+    onRedirect?: (url: string) => void;
+}
+declare function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className }: SignInProps): react_jsx_runtime.JSX.Element;
+interface SignUpProps extends SharedComponentProps {
+    returnTo?: string;
+    onSuccess?: () => void;
+}
+declare function SignUp({ iqAuthBaseUrl, appKey, returnTo, onSuccess, className }: SignUpProps): react_jsx_runtime.JSX.Element;
+interface UserSummary {
+    sub: string;
+    email: string;
+    name: string;
+    picture?: string | null;
+}
+interface UserButtonProps {
+    iqAuthBaseUrl: string;
+    /** Where to send the user when they click "Account". Defaults to `${iqAuthBaseUrl}/account`. */
+    accountUrl?: string;
+    /** Called after sign-out. Defaults to navigating to /sign-in if a returnTo+appKey are provided, else `window.location.reload()`. */
+    onSignOut?: () => void;
+    className?: string;
+}
+declare function UserButton({ iqAuthBaseUrl, accountUrl, onSignOut, className }: UserButtonProps): react_jsx_runtime.JSX.Element | null;
+interface UserProfileProps {
+    iqAuthBaseUrl: string;
+    className?: string;
+}
+declare function UserProfile({ iqAuthBaseUrl, className }: UserProfileProps): react_jsx_runtime.JSX.Element;
+interface OrganizationSwitcherProps {
+    iqAuthBaseUrl: string;
+    onSwitched?: (tenantId: string) => void;
+    className?: string;
+}
+declare function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, className }: OrganizationSwitcherProps): react_jsx_runtime.JSX.Element;
+declare const __version__ = "phase-bc-1.0.0";
+
+export { AuthCallback, type AuthCallbackProps, type IQAuthBranding, IQAuthProvider, type IQAuthProviderProps, type IQAuthSignInContext, OrganizationSwitcher, type OrganizationSwitcherProps, RedirectToSignIn, type RedirectToSignInProps, type SessionError, type SharedComponentProps, SignIn, type SignInProps, SignUp, type SignUpProps, SignedIn, SignedOut, type UseAuthResult, type UseOrganizationResult, type UseSessionResult, type UseUserResult, UserButton, type UserButtonProps, UserProfile, type UserProfileProps, type UserSummary, __version__, useAuth, useAuthFetch, useIQAuthSignInContext, useOrganization, useSession, useUser };

package/dist/react.d.ts

@@ -0,0 +1,196 @@
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import * as React from 'react';
+import { ReactNode } from 'react';
+import { S as SessionManager, a as SessionSnapshot, b as SignInOptions, c as SignOutOptions, C as CallbackResult } from './signIn-Cy2lbEXb.js';
+import { d as SessionUser, J as JwtClaims } from './types-Cxl3bQHt.js';
+import './publishableKey-B5DIK81A.js';
+
+interface IQAuthContextValue {
+    manager: SessionManager;
+    snapshot: SessionSnapshot;
+}
+interface IQAuthProviderProps {
+    publishableKey: string;
+    /** Override the IQAuth issuer URL. Inferred from the key by default. */
+    issuer?: string;
+    /** Disable cross-tab broadcast (rarely useful; primarily for tests). */
+    channelName?: string;
+    /** Disable proactive ~60s-before-expiry refresh. */
+    proactiveRefresh?: boolean;
+    /** Optional pre-built manager (advanced; tests). */
+    manager?: SessionManager;
+    children?: ReactNode;
+}
+/**
+ * Boots the IQAuth browser SDK from a single publishable key. Provides the
+ * session context to all hooks and gating components below it. Strict-mode
+ * safe — a single SessionManager instance is created per provider and reused
+ * across remounts.
+ */
+declare function IQAuthProvider({ publishableKey, issuer, channelName, proactiveRefresh, manager: externalManager, children, }: IQAuthProviderProps): React.FunctionComponentElement<React.ProviderProps<IQAuthContextValue | null>>;
+interface SessionError {
+    code: string;
+    message: string;
+}
+interface UseUserResult {
+    isLoaded: boolean;
+    isSignedIn: boolean;
+    user: SessionUser | null;
+    error: SessionError | null;
+}
+declare function useUser(): UseUserResult;
+interface UseSessionResult {
+    isLoaded: boolean;
+    isSignedIn: boolean;
+    claims: JwtClaims | null;
+    accessToken: string | null;
+    error: SessionError | null;
+}
+declare function useSession(): UseSessionResult;
+interface UseAuthResult {
+    isLoaded: boolean;
+    isSignedIn: boolean;
+    userId: string | null;
+    tenantId: string | null;
+    error: SessionError | null;
+    signIn: (opts?: SignInOptions) => Promise<void>;
+    signOut: (opts?: SignOutOptions) => Promise<void>;
+    redirectToSignIn: (opts?: SignInOptions) => Promise<void>;
+    getToken: () => Promise<string | null>;
+    fetch: (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+}
+declare function useAuth(): UseAuthResult;
+interface UseOrganizationResult {
+    isLoaded: boolean;
+    organization: {
+        id: string;
+        tenantId: string;
+    } | null;
+    error: SessionError | null;
+}
+/**
+ * In IQAuth a "tenant" is the closest analog to Clerk's organization. This
+ * hook returns the tenant the active session is scoped to.
+ */
+declare function useOrganization(): UseOrganizationResult;
+/**
+ * Returns a fetch-like function that auto-attaches the access token and
+ * coordinates refresh. Identical to `useAuth().fetch` but exposed as its own
+ * hook for ergonomic destructuring.
+ */
+declare function useAuthFetch(): (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+declare function SignedIn({ children }: {
+    children?: ReactNode;
+}): React.FunctionComponentElement<{
+    children?: ReactNode | undefined;
+}> | null;
+declare function SignedOut({ children }: {
+    children?: ReactNode;
+}): React.FunctionComponentElement<{
+    children?: ReactNode | undefined;
+}> | null;
+interface RedirectToSignInProps extends SignInOptions {
+}
+declare function RedirectToSignIn(props?: RedirectToSignInProps): null;
+/**
+ * Drop-in callback route. Mount at the path you registered as your
+ * `redirect_uri` (e.g. `/auth/callback`) and the SDK will exchange the code
+ * and navigate to the original `return_to`.
+ */
+interface AuthCallbackProps {
+    /** Override the default `window.location.replace` navigation. */
+    onComplete?: (result: CallbackResult) => void;
+    /** Render while the exchange is in flight. */
+    fallback?: ReactNode;
+}
+declare function AuthCallback({ onComplete, fallback }?: AuthCallbackProps): React.FunctionComponentElement<{
+    children?: ReactNode | undefined;
+}>;
+interface IQAuthBranding {
+    brandName: string | null;
+    logoUrl: string | null;
+    loginHeadline: string | null;
+    loginSubheadline: string | null;
+    primaryColor: string | null;
+    accentColor: string | null;
+    backgroundColor: string | null;
+    surfaceColor: string | null;
+    textColor: string | null;
+    supportEmail?: string | null;
+    supportUrl?: string | null;
+    termsUrl?: string | null;
+    privacyUrl?: string | null;
+}
+interface IQAuthSignInContext {
+    app: {
+        id: string;
+        key: string;
+        name: string;
+        tenantId: string | null;
+        mode: string;
+        defaultClientId: string | null;
+    };
+    providers?: {
+        google?: boolean;
+    };
+    allowedOrigins: string[];
+    returnAllowed: boolean;
+    branding: IQAuthBranding | null;
+}
+interface SharedComponentProps {
+    /** Base URL of the IQAuth service (e.g. https://auth.dispositioniq.com). */
+    iqAuthBaseUrl: string;
+    /** App key registered via Phase A's POST /api/v1/apps. */
+    appKey: string;
+    /** Optional className for the outer wrapper. */
+    className?: string;
+}
+/**
+ * Hook that loads the public sign-in context for an app (branding + allowed origins).
+ */
+declare function useIQAuthSignInContext(iqAuthBaseUrl: string, appKey: string, returnTo: string): {
+    ctx: IQAuthSignInContext | null;
+    loading: boolean;
+    error: string | null;
+};
+interface SignInProps extends SharedComponentProps {
+    /** URL the IQAuth backend should redirect back to with `?code=...`. Must be in the app's allowed_origins. */
+    returnTo: string;
+    /** Called after successful redirect. By default, `window.location.href = url`. */
+    onRedirect?: (url: string) => void;
+}
+declare function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className }: SignInProps): react_jsx_runtime.JSX.Element;
+interface SignUpProps extends SharedComponentProps {
+    returnTo?: string;
+    onSuccess?: () => void;
+}
+declare function SignUp({ iqAuthBaseUrl, appKey, returnTo, onSuccess, className }: SignUpProps): react_jsx_runtime.JSX.Element;
+interface UserSummary {
+    sub: string;
+    email: string;
+    name: string;
+    picture?: string | null;
+}
+interface UserButtonProps {
+    iqAuthBaseUrl: string;
+    /** Where to send the user when they click "Account". Defaults to `${iqAuthBaseUrl}/account`. */
+    accountUrl?: string;
+    /** Called after sign-out. Defaults to navigating to /sign-in if a returnTo+appKey are provided, else `window.location.reload()`. */
+    onSignOut?: () => void;
+    className?: string;
+}
+declare function UserButton({ iqAuthBaseUrl, accountUrl, onSignOut, className }: UserButtonProps): react_jsx_runtime.JSX.Element | null;
+interface UserProfileProps {
+    iqAuthBaseUrl: string;
+    className?: string;
+}
+declare function UserProfile({ iqAuthBaseUrl, className }: UserProfileProps): react_jsx_runtime.JSX.Element;
+interface OrganizationSwitcherProps {
+    iqAuthBaseUrl: string;
+    onSwitched?: (tenantId: string) => void;
+    className?: string;
+}
+declare function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, className }: OrganizationSwitcherProps): react_jsx_runtime.JSX.Element;
+declare const __version__ = "phase-bc-1.0.0";
+
+export { AuthCallback, type AuthCallbackProps, type IQAuthBranding, IQAuthProvider, type IQAuthProviderProps, type IQAuthSignInContext, OrganizationSwitcher, type OrganizationSwitcherProps, RedirectToSignIn, type RedirectToSignInProps, type SessionError, type SharedComponentProps, SignIn, type SignInProps, SignUp, type SignUpProps, SignedIn, SignedOut, type UseAuthResult, type UseOrganizationResult, type UseSessionResult, type UseUserResult, UserButton, type UserButtonProps, UserProfile, type UserProfileProps, type UserSummary, __version__, useAuth, useAuthFetch, useIQAuthSignInContext, useOrganization, useSession, useUser };