@iqauth/sdk 2.0.0

package/dist/browser.mjs

@@ -0,0 +1,47 @@
+import {
+  REFRESH_COOKIE,
+  SessionManager,
+  buildSignInUrl,
+  clearCookie,
+  createPkcePair,
+  getCookie,
+  handleAuthCallback,
+  randomUrlSafe,
+  redirectToSignIn,
+  s256Challenge,
+  setCookie,
+  signIn,
+  signOut
+} from "./chunk-E46DKOVI.mjs";
+import {
+  encodePublishableKey,
+  isPublishableKey,
+  isSecretKey,
+  parsePublishableKey
+} from "./chunk-5WFR6Y33.mjs";
+import {
+  ErrorCodes,
+  IQAuthError
+} from "./chunk-6I6RM4MN.mjs";
+import "./chunk-Y6FXYEAI.mjs";
+export {
+  ErrorCodes,
+  IQAuthError,
+  REFRESH_COOKIE,
+  SessionManager,
+  buildSignInUrl,
+  clearCookie,
+  createPkcePair,
+  encodePublishableKey,
+  getCookie,
+  handleAuthCallback,
+  isPublishableKey,
+  isSecretKey,
+  parsePublishableKey,
+  randomUrlSafe,
+  redirectToSignIn,
+  s256Challenge,
+  setCookie,
+  signIn,
+  signOut
+};

package/dist/chunk-5HF3OBNO.mjs

@@ -0,0 +1,189 @@
+import {
+  parsePublishableKey
+} from "./chunk-5WFR6Y33.mjs";
+
+// src/server/handlers.ts
+var ACCESS_TOKEN_TTL_SECONDS = 60 * 15;
+var REFRESH_TOKEN_TTL_SECONDS = 60 * 60 * 24 * 30;
+function resolve(config) {
+  const parsed = parsePublishableKey(config.publishableKey);
+  if (!parsed) {
+    throw new Error(
+      "@iqauth/sdk: invalid publishable key passed to iqAuth helpers (expected pk_test_\u2026 or pk_live_\u2026)"
+    );
+  }
+  const inferredIssuer = parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`;
+  return {
+    publishableKey: config.publishableKey,
+    secretKey: config.secretKey,
+    issuer: (config.issuer ?? inferredIssuer).replace(/\/+$/, ""),
+    accessCookieName: config.accessCookieName ?? "iqauth_at",
+    refreshCookieName: config.refreshCookieName ?? "iqauth_rt",
+    cookieDomain: config.cookieDomain,
+    sameSite: config.sameSite ?? "lax",
+    secure: config.secure ?? true,
+    cookiePath: config.cookiePath ?? "/",
+    tokenPath: config.tokenPath ?? "/oidc/token",
+    refreshPath: config.refreshPath ?? "/api/v1/auth/refresh",
+    logoutPath: config.logoutPath ?? "/api/v1/auth/logout",
+    fetchImpl: config.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : (() => {
+      throw new Error("global fetch is unavailable; pass fetchImpl");
+    })),
+    appId: parsed.appId,
+    tenantId: parsed.tenantId
+  };
+}
+function makeCookie(cfg, name, value, maxAge, httpOnly = true) {
+  return {
+    name,
+    value,
+    maxAge,
+    httpOnly,
+    secure: cfg.secure,
+    sameSite: cfg.sameSite,
+    path: cfg.cookiePath,
+    domain: cfg.cookieDomain
+  };
+}
+function clearCookies(cfg) {
+  return [
+    makeCookie(cfg, cfg.accessCookieName, "", 0),
+    makeCookie(cfg, cfg.refreshCookieName, "", 0)
+  ];
+}
+function serializeCookie(d) {
+  const parts = [`${d.name}=${encodeURIComponent(d.value)}`];
+  parts.push(`Path=${d.path}`);
+  if (d.domain) parts.push(`Domain=${d.domain}`);
+  parts.push(`Max-Age=${d.maxAge}`);
+  if (d.secure) parts.push("Secure");
+  if (d.httpOnly) parts.push("HttpOnly");
+  parts.push(`SameSite=${d.sameSite}`);
+  return parts.join("; ");
+}
+async function handleCallback(config, input) {
+  const cfg = resolve(config);
+  if (!input.code || !input.redirectUri) {
+    return {
+      status: 400,
+      body: { success: false, error: { code: "VALIDATION_ERROR", message: "code and redirectUri are required" } },
+      cookies: []
+    };
+  }
+  if (!cfg.secretKey) {
+    return {
+      status: 500,
+      body: { success: false, error: { code: "INTERNAL_ERROR", message: "secretKey is required for the callback handler" } },
+      cookies: []
+    };
+  }
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code: input.code,
+    redirect_uri: input.redirectUri,
+    client_id: cfg.appId
+  });
+  if (input.codeVerifier) body.set("code_verifier", input.codeVerifier);
+  const res = await cfg.fetchImpl(`${cfg.issuer}${cfg.tokenPath}`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Authorization: `Basic ${typeof btoa === "function" ? btoa(`${cfg.appId}:${cfg.secretKey}`) : Buffer.from(`${cfg.appId}:${cfg.secretKey}`).toString("base64")}`
+    },
+    body: body.toString()
+  });
+  const json = await res.json().catch(() => ({}));
+  if (!res.ok || !json.access_token) {
+    return {
+      status: res.status || 502,
+      body: {
+        success: false,
+        error: {
+          code: json.error || "OIDC_EXCHANGE_FAILED",
+          message: json.error_description || "Authorization code exchange failed"
+        }
+      },
+      cookies: []
+    };
+  }
+  const cookies = [];
+  cookies.push(
+    makeCookie(cfg, cfg.accessCookieName, json.access_token, json.expires_in ?? ACCESS_TOKEN_TTL_SECONDS)
+  );
+  if (json.refresh_token) {
+    cookies.push(makeCookie(cfg, cfg.refreshCookieName, json.refresh_token, REFRESH_TOKEN_TTL_SECONDS));
+  }
+  return {
+    status: 200,
+    body: { success: true, data: { authenticated: true } },
+    cookies
+  };
+}
+async function handleRefresh(config, input) {
+  const cfg = resolve(config);
+  const refreshToken = input.refreshToken;
+  if (!refreshToken) {
+    return {
+      status: 401,
+      body: { success: false, error: { code: "TOKEN_INVALID", message: "Missing refresh token" } },
+      cookies: clearCookies(cfg)
+    };
+  }
+  const res = await cfg.fetchImpl(`${cfg.issuer}${cfg.refreshPath}`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ refreshToken })
+  });
+  const json = await res.json().catch(() => ({}));
+  if (!res.ok || !json.success || !json.data?.accessToken) {
+    return {
+      status: res.status || 401,
+      body: {
+        success: false,
+        error: {
+          code: json.error?.code || "TOKEN_INVALID",
+          message: json.error?.message || "Refresh failed"
+        }
+      },
+      cookies: clearCookies(cfg)
+    };
+  }
+  const cookies = [
+    makeCookie(cfg, cfg.accessCookieName, json.data.accessToken, ACCESS_TOKEN_TTL_SECONDS)
+  ];
+  if (json.data.refreshToken) {
+    cookies.push(makeCookie(cfg, cfg.refreshCookieName, json.data.refreshToken, REFRESH_TOKEN_TTL_SECONDS));
+  }
+  return {
+    status: 200,
+    body: { success: true, data: { accessToken: json.data.accessToken } },
+    cookies
+  };
+}
+async function handleSignout(config, input) {
+  const cfg = resolve(config);
+  if (input.accessToken) {
+    try {
+      await cfg.fetchImpl(`${cfg.issuer}${cfg.logoutPath}`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${input.accessToken}`
+        }
+      });
+    } catch {
+    }
+  }
+  return {
+    status: 200,
+    body: { success: true, data: { signedOut: true } },
+    cookies: clearCookies(cfg)
+  };
+}
+
+export {
+  serializeCookie,
+  handleCallback,
+  handleRefresh,
+  handleSignout
+};

package/dist/chunk-5WFR6Y33.mjs

@@ -0,0 +1,59 @@
+import {
+  __require
+} from "./chunk-Y6FXYEAI.mjs";
+
+// src/publishableKey.ts
+function b64urlEncode(input) {
+  if (typeof btoa === "function") {
+    const bytes = new TextEncoder().encode(input);
+    let bin = "";
+    for (let i = 0; i < bytes.byteLength; i++) bin += String.fromCharCode(bytes[i]);
+    return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+  }
+  const { Buffer } = __require("buffer");
+  return Buffer.from(input, "utf8").toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function b64urlDecode(input) {
+  const pad = input.length % 4 === 0 ? "" : "=".repeat(4 - input.length % 4);
+  const normalized = input.replace(/-/g, "+").replace(/_/g, "/") + pad;
+  if (typeof atob === "function") {
+    const bin = atob(normalized);
+    const bytes = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
+    return new TextDecoder().decode(bytes);
+  }
+  const { Buffer } = __require("buffer");
+  return Buffer.from(normalized, "base64").toString("utf8");
+}
+function encodePublishableKey(mode, payload) {
+  if (mode !== "test" && mode !== "live") throw new Error(`Invalid mode: ${mode}`);
+  return `pk_${mode}_${b64urlEncode(JSON.stringify(payload))}`;
+}
+function parsePublishableKey(raw) {
+  if (typeof raw !== "string") return null;
+  const m = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
+  if (!m) return null;
+  try {
+    const json = JSON.parse(b64urlDecode(m[2]));
+    if (!json || typeof json !== "object") return null;
+    if (typeof json.iss !== "string" || typeof json.appId !== "string" || typeof json.tenantId !== "string" || typeof json.kid !== "string") {
+      return null;
+    }
+    return { mode: m[1], iss: json.iss, appId: json.appId, tenantId: json.tenantId, kid: json.kid, raw };
+  } catch {
+    return null;
+  }
+}
+function isPublishableKey(raw) {
+  return typeof raw === "string" && /^pk_(test|live)_/.test(raw);
+}
+function isSecretKey(raw) {
+  return typeof raw === "string" && /^sk_(test|live)_/.test(raw);
+}
+
+export {
+  encodePublishableKey,
+  parsePublishableKey,
+  isPublishableKey,
+  isSecretKey
+};

package/dist/chunk-6I6RM4MN.mjs

@@ -0,0 +1,51 @@
+// src/errors.ts
+var IQAuthError = class extends Error {
+  constructor(code, message, status, raw) {
+    super(message);
+    this.name = "IQAuthError";
+    this.code = code;
+    this.status = status;
+    this.raw = raw;
+  }
+};
+var ErrorCodes = {
+  VALIDATION_ERROR: "VALIDATION_ERROR",
+  INVALID_CREDENTIALS: "INVALID_CREDENTIALS",
+  ACCOUNT_INACTIVE: "ACCOUNT_INACTIVE",
+  ACCOUNT_LOCKED: "ACCOUNT_LOCKED",
+  INSUFFICIENT_PERMISSIONS: "INSUFFICIENT_PERMISSIONS",
+  TOKEN_INVALID: "TOKEN_INVALID",
+  TOKEN_EXPIRED: "TOKEN_EXPIRED",
+  TOKEN_REVOKED: "TOKEN_REVOKED",
+  USER_INACTIVE: "USER_INACTIVE",
+  INTERNAL_ERROR: "INTERNAL_ERROR",
+  NOT_FOUND: "NOT_FOUND",
+  SESSION_INVALID: "SESSION_INVALID",
+  SESSION_EXPIRED: "SESSION_EXPIRED",
+  REFRESH_TOKEN_REUSED: "REFRESH_TOKEN_REUSED",
+  PASSWORD_EXPIRED: "PASSWORD_EXPIRED",
+  PIN_EXPIRED: "PIN_EXPIRED",
+  PASSWORD_POLICY_VIOLATION: "PASSWORD_POLICY_VIOLATION",
+  MFA_INVALID_CODE: "MFA_INVALID_CODE",
+  MFA_METHOD_UNAVAILABLE: "MFA_METHOD_UNAVAILABLE",
+  MFA_RATE_LIMITED: "MFA_RATE_LIMITED",
+  MFA_ENROLLMENT_REQUIRED: "MFA_ENROLLMENT_REQUIRED",
+  API_KEY_REQUIRED: "API_KEY_REQUIRED",
+  API_KEY_INVALID: "API_KEY_INVALID",
+  AUTH_REQUIRED: "AUTH_REQUIRED",
+  ALREADY_EXISTS: "ALREADY_EXISTS",
+  FORBIDDEN: "FORBIDDEN",
+  OAUTH_NOT_CONFIGURED: "OAUTH_NOT_CONFIGURED",
+  UPLOAD_ERROR: "UPLOAD_ERROR",
+  EMAIL_SERVICE_UNAVAILABLE: "EMAIL_SERVICE_UNAVAILABLE",
+  INVALID_CODE: "INVALID_CODE",
+  CODE_ALREADY_USED: "CODE_ALREADY_USED",
+  CODE_EXPIRED: "CODE_EXPIRED",
+  CODE_IP_MISMATCH: "CODE_IP_MISMATCH",
+  UNKNOWN_PAYLOAD: "UNKNOWN_PAYLOAD"
+};
+
+export {
+  IQAuthError,
+  ErrorCodes
+};

package/dist/chunk-73R6BEGO.mjs

@@ -0,0 +1,176 @@
+import {
+  parsePublishableKey
+} from "./chunk-5WFR6Y33.mjs";
+import {
+  IQAuthClient
+} from "./chunk-JQWYIIIS.mjs";
+import {
+  IQAuthError
+} from "./chunk-6I6RM4MN.mjs";
+
+// src/middleware/express.ts
+var KNOWN_AUTH_ERROR_CODES = /* @__PURE__ */ new Set([
+  "TOKEN_INVALID",
+  "TOKEN_EXPIRED",
+  "TOKEN_REVOKED",
+  "SESSION_EXPIRED",
+  "SESSION_INVALID",
+  "AUTH_REQUIRED"
+]);
+var DEFAULT_ACCESS_COOKIE = "iqauth_at";
+var DEFAULT_REFRESH_COOKIE = "iqauth_rt";
+function getAuthorizationHeader(req) {
+  const raw = req.headers?.authorization;
+  if (Array.isArray(raw)) return raw[0];
+  return raw;
+}
+function readCookie(req, name) {
+  const cookieJar = req.cookies;
+  if (cookieJar && typeof cookieJar[name] === "string") return cookieJar[name];
+  const raw = req.headers?.cookie;
+  const header = Array.isArray(raw) ? raw.join("; ") : raw;
+  if (!header) return void 0;
+  const target = `${name}=`;
+  for (const seg of header.split(";")) {
+    const trimmed = seg.trim();
+    if (trimmed.startsWith(target)) {
+      try {
+        return decodeURIComponent(trimmed.slice(target.length));
+      } catch {
+        return trimmed.slice(target.length);
+      }
+    }
+  }
+  return void 0;
+}
+function clientFromPublishableKey(opts) {
+  const parsed = parsePublishableKey(opts.publishableKey);
+  if (!parsed) {
+    throw new Error("iqAuthMiddleware: invalid publishable key");
+  }
+  const issuer = (opts.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
+  return new IQAuthClient({ baseUrl: issuer, environment: "server" });
+}
+function iqAuthMiddleware(clientOrOptions, options = {}) {
+  let client;
+  let resolvedOptions;
+  const isPkConfig = !!clientOrOptions && typeof clientOrOptions.publishableKey === "string" && !clientOrOptions.tokens;
+  if (isPkConfig) {
+    const cfg = clientOrOptions;
+    client = clientFromPublishableKey(cfg);
+    const { publishableKey: _pk, issuer: _iss, ...rest } = cfg;
+    void _pk;
+    void _iss;
+    resolvedOptions = rest;
+  } else {
+    client = clientOrOptions;
+    resolvedOptions = options;
+  }
+  const {
+    requireAuth = true,
+    requiredRoles = [],
+    requiredEntitlements = [],
+    onUnauthorized,
+    onForbidden,
+    onError,
+    accessCookieName = DEFAULT_ACCESS_COOKIE,
+    cookieAware = true
+  } = resolvedOptions;
+  return async (req, res, next) => {
+    let token;
+    const authHeader = getAuthorizationHeader(req);
+    if (authHeader && authHeader.startsWith("Bearer ")) {
+      token = authHeader.substring(7);
+    } else if (cookieAware) {
+      const cookieToken = readCookie(req, accessCookieName);
+      if (cookieToken) token = cookieToken;
+    }
+    if (!token) {
+      if (!requireAuth) {
+        next();
+        return;
+      }
+      const reason = "Missing or invalid authorization header";
+      if (onUnauthorized) {
+        onUnauthorized(res, reason);
+        return;
+      }
+      res.status(401).json({
+        success: false,
+        error: { code: "TOKEN_INVALID", message: reason }
+      });
+      return;
+    }
+    let claims;
+    try {
+      claims = await client.tokens.verify(token);
+    } catch (err) {
+      if (err instanceof IQAuthError && KNOWN_AUTH_ERROR_CODES.has(err.code)) {
+        const reason = err.message || "Invalid access token";
+        if (onUnauthorized) {
+          onUnauthorized(res, reason);
+          return;
+        }
+        res.status(401).json({
+          success: false,
+          error: { code: err.code, message: reason }
+        });
+        return;
+      }
+      if (onError) {
+        try {
+          onError(err);
+        } catch {
+        }
+      }
+      res.status(500).json({
+        success: false,
+        error: {
+          code: "INTERNAL_ERROR",
+          message: "Authentication failed due to an internal error"
+        }
+      });
+      return;
+    }
+    req.auth = claims;
+    if (requiredRoles.length > 0) {
+      const userRoles = claims.roles || [];
+      const hasRequired = requiredRoles.some((r) => userRoles.includes(r));
+      if (!hasRequired) {
+        const reason = `Missing required role. Required one of: ${requiredRoles.join(", ")}`;
+        if (onForbidden) {
+          onForbidden(res, reason);
+          return;
+        }
+        res.status(403).json({
+          success: false,
+          error: { code: "INSUFFICIENT_PERMISSIONS", message: reason }
+        });
+        return;
+      }
+    }
+    if (requiredEntitlements.length > 0) {
+      const userEntitlements = claims.entitlements || [];
+      const hasRequired = requiredEntitlements.every((e) => userEntitlements.includes(e));
+      if (!hasRequired) {
+        const reason = `Missing required entitlement(s): ${requiredEntitlements.join(", ")}`;
+        if (onForbidden) {
+          onForbidden(res, reason);
+          return;
+        }
+        res.status(403).json({
+          success: false,
+          error: { code: "INSUFFICIENT_PERMISSIONS", message: reason }
+        });
+        return;
+      }
+    }
+    next();
+  };
+}
+
+export {
+  DEFAULT_ACCESS_COOKIE,
+  DEFAULT_REFRESH_COOKIE,
+  iqAuthMiddleware
+};