@iqauth/sdk 2.0.0

package/dist/chunk-E46DKOVI.mjs

@@ -0,0 +1,632 @@
+import {
+  parsePublishableKey
+} from "./chunk-5WFR6Y33.mjs";
+import {
+  IQAuthError
+} from "./chunk-6I6RM4MN.mjs";
+import {
+  __require
+} from "./chunk-Y6FXYEAI.mjs";
+
+// src/browser/storage.ts
+var REFRESH_COOKIE = "iqauth_rt";
+var PKCE_STORAGE_PREFIX = "iqauth.pkce.";
+function isBrowser() {
+  return typeof window !== "undefined" && typeof document !== "undefined";
+}
+function setCookie(name, value, opts = {}) {
+  if (!isBrowser()) return;
+  const parts = [`${name}=${encodeURIComponent(value)}`];
+  parts.push(`Path=${opts.path ?? "/"}`);
+  if (opts.maxAgeSeconds !== void 0) parts.push(`Max-Age=${opts.maxAgeSeconds}`);
+  if (opts.domain) parts.push(`Domain=${opts.domain}`);
+  if (opts.secure ?? location.protocol === "https:") parts.push("Secure");
+  parts.push(`SameSite=${opts.sameSite ?? "lax"}`);
+  document.cookie = parts.join("; ");
+}
+function getCookie(name) {
+  if (!isBrowser()) return null;
+  const target = `${name}=`;
+  const segments = document.cookie ? document.cookie.split(";") : [];
+  for (const seg of segments) {
+    const trimmed = seg.trim();
+    if (trimmed.startsWith(target)) {
+      try {
+        return decodeURIComponent(trimmed.slice(target.length));
+      } catch {
+        return null;
+      }
+    }
+  }
+  return null;
+}
+function clearCookie(name, opts = {}) {
+  setCookie(name, "", { ...opts, maxAgeSeconds: 0 });
+}
+function savePkce(record) {
+  if (!isBrowser()) return;
+  try {
+    sessionStorage.setItem(PKCE_STORAGE_PREFIX + record.state, JSON.stringify(record));
+  } catch {
+  }
+}
+function loadPkce(state) {
+  if (!isBrowser()) return null;
+  try {
+    const raw = sessionStorage.getItem(PKCE_STORAGE_PREFIX + state);
+    if (!raw) return null;
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function clearPkce(state) {
+  if (!isBrowser()) return;
+  try {
+    sessionStorage.removeItem(PKCE_STORAGE_PREFIX + state);
+  } catch {
+  }
+}
+
+// src/browser/sessionManager.ts
+var DEFAULT_REFRESH_PATH = "/api/v1/auth/refresh";
+var DEFAULT_USERINFO_PATH = "/api/v1/auth/me";
+function decodeClaims(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const json = typeof atob === "function" ? decodeURIComponent(
+      atob(parts[1].replace(/-/g, "+").replace(/_/g, "/")).split("").map((c) => "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2)).join("")
+    ) : Buffer.from(parts[1], "base64url").toString("utf8");
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
+function claimsToSessionUser(claims) {
+  if (!claims) return null;
+  return {
+    sub: claims.sub,
+    email: claims.email,
+    name: claims.name,
+    tenantId: claims.tenantId,
+    vendorId: claims.vendorId,
+    roles: claims.roles ?? [],
+    entitlements: claims.entitlements ?? []
+  };
+}
+var EMPTY = {
+  status: "loading",
+  accessToken: null,
+  user: null,
+  claims: null,
+  tenantId: null,
+  error: null,
+  version: 0
+};
+function defaultCookieStore() {
+  return {
+    read: () => getCookie(REFRESH_COOKIE),
+    write: (token) => setCookie(REFRESH_COOKIE, token, { maxAgeSeconds: 60 * 60 * 24 * 30 }),
+    clear: () => clearCookie(REFRESH_COOKIE)
+  };
+}
+var NO_OP_STORE = {
+  read: () => null,
+  write: () => void 0,
+  clear: () => void 0
+};
+var SessionManager = class {
+  constructor(options) {
+    this.snapshot = { ...EMPTY };
+    this.listeners = /* @__PURE__ */ new Set();
+    this.refreshPromise = null;
+    this.channel = null;
+    this.proactiveTimer = null;
+    this.bootstrapped = false;
+    /** Pending refresh awaited by other tabs after a `refresh:claim` from us. */
+    this.remoteRefreshWaiters = [];
+    /** Active claims by other tabs (keyed by source tabId). */
+    this.foreignClaim = null;
+    const parsed = parsePublishableKey(options.publishableKey);
+    if (!parsed) {
+      throw new Error(
+        `Invalid IQAuth publishable key. Expected pk_test_\u2026 or pk_live_\u2026 (got ${options.publishableKey?.slice(0, 12) ?? "<empty>"}\u2026).`
+      );
+    }
+    this.key = parsed;
+    const inferred = options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`);
+    this.issuer = inferred.replace(/\/+$/, "");
+    this.refreshPath = options.refreshPath ?? DEFAULT_REFRESH_PATH;
+    this.userinfoPath = options.userinfoPath ?? DEFAULT_USERINFO_PATH;
+    this.useCookies = options.useCookies ?? true;
+    this.proactiveRefresh = options.proactiveRefresh ?? true;
+    this.tokenStore = options.tokenStore ?? (this.useCookies ? defaultCookieStore() : NO_OP_STORE);
+    this.crossTabLockTimeoutMs = options.crossTabLockTimeoutMs ?? 4e3;
+    this.fetchImpl = options.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : (() => {
+      throw new Error("global fetch is not available; pass fetchImpl");
+    }));
+    this.tabId = Math.random().toString(36).slice(2);
+    if (typeof BroadcastChannel !== "undefined") {
+      const name = options.channelName ?? `iqauth.${parsed.appId}`;
+      try {
+        this.channel = new BroadcastChannel(name);
+        this.channel.onmessage = (ev) => this.onBroadcast(ev.data);
+      } catch {
+        this.channel = null;
+      }
+    }
+  }
+  get publishableKey() {
+    return this.key;
+  }
+  get appKey() {
+    return this.key.appId;
+  }
+  get tenantIdFromKey() {
+    return this.key.tenantId;
+  }
+  get issuerUrl() {
+    return this.issuer;
+  }
+  getSnapshot() {
+    return this.snapshot;
+  }
+  subscribe(listener) {
+    this.listeners.add(listener);
+    return () => {
+      this.listeners.delete(listener);
+    };
+  }
+  /**
+   * One-time bootstrap: warm the session from the refresh cookie if present.
+   * Safe to call multiple times.
+   */
+  async bootstrap() {
+    if (this.bootstrapped) return;
+    this.bootstrapped = true;
+    const stored = await Promise.resolve(this.tokenStore.read());
+    if (!stored) {
+      this.setStatus("unauthenticated");
+      return;
+    }
+    const ok = await this.refresh();
+    if (!ok) this.setStatus("unauthenticated");
+  }
+  /**
+   * Single-flight token refresh, coordinated across tabs via BroadcastChannel.
+   *
+   * Per-tab: concurrent callers share the same `refreshPromise`.
+   * Cross-tab: a tab that wants to refresh first broadcasts a `refresh:claim`
+   * with its tabId + timestamp. If it has already received a competing claim
+   * with an earlier timestamp (or lower tabId on tie), it waits for that
+   * tab's `refresh:done` message instead of issuing its own HTTP request.
+   * This prevents two tabs racing on rotating refresh tokens, which would
+   * invalidate the session.
+   */
+  refresh() {
+    if (this.refreshPromise) return this.refreshPromise;
+    this.refreshPromise = this.runRefresh().finally(() => {
+      this.refreshPromise = null;
+    });
+    return this.refreshPromise;
+  }
+  async runRefresh() {
+    const myClaim = { source: this.tabId, ts: Date.now() };
+    if (this.channel) {
+      this.broadcastEnvelope({ type: "refresh:claim", source: myClaim.source, ts: myClaim.ts });
+      await new Promise((r) => setTimeout(r, 25));
+      const foreign = this.foreignClaim;
+      if (foreign && this.claimWins(foreign, myClaim)) {
+        return this.waitForForeignRefresh();
+      }
+    }
+    try {
+      const refreshToken = await Promise.resolve(this.tokenStore.read());
+      const res = await this.fetchImpl(`${this.issuer}${this.refreshPath}`, {
+        method: "POST",
+        credentials: "include",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(refreshToken ? { refreshToken } : {})
+      });
+      const body = await res.json().catch(() => ({}));
+      const data = body.data;
+      if (!res.ok || !body.success || !data?.accessToken) {
+        const err = body.error;
+        this.setError({
+          code: err?.code ?? "REFRESH_FAILED",
+          message: err?.message ?? `Refresh failed with status ${res.status}`
+        });
+        this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: false });
+        return false;
+      }
+      if (data.refreshToken) {
+        await Promise.resolve(this.tokenStore.write(data.refreshToken));
+      }
+      this.applyAccessToken(data.accessToken);
+      this.broadcast("session:refresh");
+      this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: true });
+      return true;
+    } catch (err) {
+      this.setError({
+        code: "NETWORK_ERROR",
+        message: err instanceof Error ? err.message : "Refresh request failed"
+      });
+      this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: false });
+      return false;
+    } finally {
+      this.foreignClaim = null;
+    }
+  }
+  claimWins(foreign, mine) {
+    if (foreign.ts < mine.ts) return true;
+    if (foreign.ts > mine.ts) return false;
+    return foreign.source < mine.source;
+  }
+  waitForForeignRefresh() {
+    return new Promise((resolve) => {
+      let settled = false;
+      const finish = (ok) => {
+        if (settled) return;
+        settled = true;
+        const idx = this.remoteRefreshWaiters.indexOf(finish);
+        if (idx >= 0) this.remoteRefreshWaiters.splice(idx, 1);
+        resolve(ok);
+      };
+      this.remoteRefreshWaiters.push(finish);
+      setTimeout(() => finish(this.snapshot.status === "authenticated"), this.crossTabLockTimeoutMs);
+    });
+  }
+  /**
+   * Apply an access token (e.g. fresh from a callback exchange) to the
+   * session and notify subscribers and other tabs.
+   */
+  applyAccessToken(accessToken, refreshToken) {
+    const claims = decodeClaims(accessToken);
+    const user = claimsToSessionUser(claims);
+    if (refreshToken) {
+      void Promise.resolve(this.tokenStore.write(refreshToken));
+    }
+    this.update({
+      status: user ? "authenticated" : "unauthenticated",
+      accessToken,
+      user,
+      claims,
+      tenantId: claims?.tenantId ?? this.key.tenantId,
+      error: null,
+      version: this.snapshot.version + 1
+    });
+    this.scheduleProactiveRefresh();
+    this.broadcast("session:update");
+  }
+  /**
+   * Returns a valid access token, refreshing once if it is expired or about
+   * to expire. Resolves to `null` if the session can no longer be revived.
+   */
+  async getToken() {
+    if (this.snapshot.accessToken && !this.isTokenExpiringSoon(this.snapshot.accessToken)) {
+      return this.snapshot.accessToken;
+    }
+    const ok = await this.refresh();
+    return ok ? this.snapshot.accessToken : null;
+  }
+  /**
+   * Browser-safe HTTP wrapper. Attaches the current access token and retries
+   * once on 401 (refreshing in between). Rejects with an `IQAuthError` on
+   * the second 401 — the caller is then responsible for redirecting to
+   * sign-in (typically by letting the unauthenticated state surface through
+   * `<SignedOut/>`).
+   */
+  async fetch(input, init = {}) {
+    const exec = async (token2) => {
+      const headers = new Headers(init.headers || {});
+      if (token2) headers.set("Authorization", `Bearer ${token2}`);
+      return this.fetchImpl(input, {
+        ...init,
+        headers,
+        credentials: init.credentials ?? "include"
+      });
+    };
+    let token = await this.getToken();
+    let res = await exec(token);
+    if (res.status !== 401) return res;
+    const refreshed = await this.refresh();
+    if (!refreshed) {
+      this.signOutLocal("unauthenticated");
+      throw new IQAuthError(
+        "TOKEN_EXPIRED",
+        "Session refresh failed; user must sign in again",
+        401
+      );
+    }
+    token = this.snapshot.accessToken;
+    res = await exec(token);
+    if (res.status === 401) {
+      this.signOutLocal("unauthenticated");
+      throw new IQAuthError(
+        "TOKEN_EXPIRED",
+        "Authenticated request failed twice with 401; aborting",
+        401
+      );
+    }
+    return res;
+  }
+  /**
+   * Clear the session locally and broadcast a sign-out to other tabs. Does
+   * not call the server — callers (e.g. signOut helper) are responsible for
+   * the server-side logout request.
+   */
+  signOutLocal(status = "unauthenticated") {
+    void Promise.resolve(this.tokenStore.clear());
+    if (this.proactiveTimer) {
+      clearTimeout(this.proactiveTimer);
+      this.proactiveTimer = null;
+    }
+    this.update({
+      status,
+      accessToken: null,
+      user: null,
+      claims: null,
+      tenantId: null,
+      error: null,
+      version: this.snapshot.version + 1
+    });
+    this.broadcast("session:signout");
+  }
+  destroy() {
+    if (this.proactiveTimer) clearTimeout(this.proactiveTimer);
+    this.proactiveTimer = null;
+    if (this.channel) {
+      try {
+        this.channel.close();
+      } catch {
+      }
+    }
+    this.channel = null;
+    this.listeners.clear();
+  }
+  // --- internals -----------------------------------------------------------
+  setStatus(status) {
+    if (this.snapshot.status === status) return;
+    this.update({ ...this.snapshot, status, version: this.snapshot.version + 1 });
+  }
+  setError(error) {
+    this.update({ ...this.snapshot, error, version: this.snapshot.version + 1 });
+  }
+  update(next) {
+    this.snapshot = next;
+    for (const l of this.listeners) l(next);
+  }
+  isTokenExpiringSoon(token) {
+    const claims = decodeClaims(token);
+    if (!claims?.exp) return false;
+    return claims.exp - Math.floor(Date.now() / 1e3) < 60;
+  }
+  scheduleProactiveRefresh() {
+    if (!this.proactiveRefresh) return;
+    if (this.proactiveTimer) {
+      clearTimeout(this.proactiveTimer);
+      this.proactiveTimer = null;
+    }
+    const claims = this.snapshot.claims;
+    if (!claims?.exp) return;
+    const msUntilRefresh = Math.max(5e3, claims.exp * 1e3 - Date.now() - 6e4);
+    this.proactiveTimer = setTimeout(() => {
+      void this.refresh();
+    }, msUntilRefresh);
+  }
+  broadcast(type) {
+    this.broadcastEnvelope({ type, source: this.tabId, ts: Date.now(), payload: this.snapshot });
+  }
+  broadcastEnvelope(env) {
+    if (!this.channel) return;
+    try {
+      this.channel.postMessage(env);
+    } catch {
+    }
+  }
+  onBroadcast(env) {
+    if (!env || env.source === this.tabId) return;
+    if (env.type === "refresh:claim") {
+      this.foreignClaim = { source: env.source, ts: env.ts };
+      return;
+    }
+    if (env.type === "refresh:done") {
+      const ok = env.ok ?? false;
+      const waiters = this.remoteRefreshWaiters;
+      this.remoteRefreshWaiters = [];
+      for (const w of waiters) w(ok);
+      this.foreignClaim = null;
+      return;
+    }
+    if (env.type === "session:signout") {
+      this.update({
+        status: "unauthenticated",
+        accessToken: null,
+        user: null,
+        claims: null,
+        tenantId: null,
+        error: null,
+        version: this.snapshot.version + 1
+      });
+      return;
+    }
+    if ((env.type === "session:update" || env.type === "session:refresh") && env.payload) {
+      this.update({
+        ...env.payload,
+        version: Math.max(this.snapshot.version, env.payload.version) + 1
+      });
+      if (this.remoteRefreshWaiters.length) {
+        const waiters = this.remoteRefreshWaiters;
+        this.remoteRefreshWaiters = [];
+        for (const w of waiters) w(true);
+      }
+    }
+  }
+};
+
+// src/browser/pkce.ts
+function getCrypto() {
+  if (typeof globalThis !== "undefined" && globalThis.crypto) {
+    return globalThis.crypto;
+  }
+  try {
+    const nodeCrypto = __require("crypto").webcrypto;
+    if (nodeCrypto) return nodeCrypto;
+  } catch {
+  }
+  throw new Error("WebCrypto is not available in this environment");
+}
+function base64UrlEncode(bytes) {
+  let bin = "";
+  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
+  const b64 = typeof btoa === "function" ? btoa(bin) : Buffer.from(bin, "binary").toString("base64");
+  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function randomUrlSafe(byteLength = 32) {
+  const bytes = new Uint8Array(byteLength);
+  getCrypto().getRandomValues(bytes);
+  return base64UrlEncode(bytes);
+}
+async function s256Challenge(verifier) {
+  const data = new TextEncoder().encode(verifier);
+  const digest = await getCrypto().subtle.digest("SHA-256", data);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+async function createPkcePair() {
+  const codeVerifier = randomUrlSafe(32);
+  const codeChallenge = await s256Challenge(codeVerifier);
+  const state = randomUrlSafe(16);
+  const nonce = randomUrlSafe(16);
+  return { codeVerifier, codeChallenge, state, nonce };
+}
+
+// src/browser/signIn.ts
+var DEFAULT_SIGN_IN_PATH = "/sign-in";
+var DEFAULT_LOGOUT_PATH = "/api/v1/auth/logout";
+var DEFAULT_TOKEN_PATH = "/oidc/token";
+var DEFAULT_CALLBACK_PATH = "/auth/callback";
+function defaultRedirectUri() {
+  if (typeof window === "undefined") {
+    throw new Error("redirectToSignIn requires a browser environment (window)");
+  }
+  return `${window.location.origin}${DEFAULT_CALLBACK_PATH}`;
+}
+function defaultReturnTo() {
+  if (typeof window === "undefined") return "/";
+  return window.location.href;
+}
+async function buildSignInUrl(manager, opts = {}) {
+  const pkce = await createPkcePair();
+  const redirectUri = opts.redirectUri ?? defaultRedirectUri();
+  const returnTo = opts.returnTo ?? defaultReturnTo();
+  savePkce({
+    codeVerifier: pkce.codeVerifier,
+    state: pkce.state,
+    nonce: pkce.nonce,
+    redirectUri,
+    appKey: manager.publishableKey.raw,
+    returnTo,
+    createdAt: Date.now()
+  });
+  const url = new URL(opts.signInPath ?? DEFAULT_SIGN_IN_PATH, manager.issuerUrl);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("app", manager.appKey);
+  url.searchParams.set("publishable_key", manager.publishableKey.raw);
+  url.searchParams.set("redirect_uri", redirectUri);
+  url.searchParams.set("state", pkce.state);
+  url.searchParams.set("nonce", pkce.nonce);
+  url.searchParams.set("code_challenge", pkce.codeChallenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  url.searchParams.set("scope", opts.scope ?? "openid profile email");
+  url.searchParams.set("return_to", returnTo);
+  return url.toString();
+}
+async function redirectToSignIn(manager, opts = {}) {
+  const url = await buildSignInUrl(manager, opts);
+  if (typeof window === "undefined") {
+    throw new Error("redirectToSignIn requires a browser environment");
+  }
+  window.location.assign(url);
+}
+async function signIn(manager, opts = {}) {
+  return redirectToSignIn(manager, opts);
+}
+async function handleAuthCallback(manager, options = {}) {
+  const url = new URL(options.url ?? (typeof window !== "undefined" ? window.location.href : ""));
+  const code = url.searchParams.get("code");
+  const state = url.searchParams.get("state");
+  const errorParam = url.searchParams.get("error");
+  if (errorParam) {
+    return { ok: false, returnTo: "/", error: errorParam };
+  }
+  if (!code || !state) {
+    return { ok: false, returnTo: "/", error: "missing_code_or_state" };
+  }
+  const record = loadPkce(state);
+  if (!record) {
+    return { ok: false, returnTo: "/", error: "unknown_state" };
+  }
+  clearPkce(state);
+  const fetchImpl = options.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : null);
+  if (!fetchImpl) {
+    return { ok: false, returnTo: record.returnTo, error: "no_fetch" };
+  }
+  const tokenUrl = `${manager.issuerUrl}${options.tokenPath ?? DEFAULT_TOKEN_PATH}`;
+  const res = await fetchImpl(tokenUrl, {
+    method: "POST",
+    credentials: "include",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: record.redirectUri,
+      client_id: manager.appKey,
+      code_verifier: record.codeVerifier
+    })
+  });
+  const body = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    const desc = body.error_description ?? body.error ?? "token_exchange_failed";
+    return { ok: false, returnTo: record.returnTo, error: desc };
+  }
+  const tokens = body;
+  if (!tokens.access_token) {
+    return { ok: false, returnTo: record.returnTo, error: "missing_access_token" };
+  }
+  if (tokens.refresh_token) {
+    setCookie(REFRESH_COOKIE, tokens.refresh_token, { maxAgeSeconds: 60 * 60 * 24 * 30 });
+  }
+  manager.applyAccessToken(tokens.access_token, tokens.refresh_token);
+  return { ok: true, returnTo: record.returnTo };
+}
+async function signOut(manager, opts = {}) {
+  if (!opts.localOnly) {
+    try {
+      const url = `${manager.issuerUrl}${opts.logoutPath ?? DEFAULT_LOGOUT_PATH}`;
+      await manager.fetch(url, { method: "POST" }).catch(() => void 0);
+    } catch {
+    }
+  }
+  clearCookie(REFRESH_COOKIE);
+  manager.signOutLocal();
+  if (opts.returnTo && typeof window !== "undefined") {
+    window.location.assign(opts.returnTo);
+  }
+}
+
+export {
+  REFRESH_COOKIE,
+  setCookie,
+  getCookie,
+  clearCookie,
+  SessionManager,
+  randomUrlSafe,
+  s256Challenge,
+  createPkcePair,
+  buildSignInUrl,
+  redirectToSignIn,
+  signIn,
+  handleAuthCallback,
+  signOut
+};