@iqauth/sdk 2.0.5 → 2.2.0

package/dist/server/handlers.js

@@ -27,6 +27,17 @@ __export(handlers_exports, {
 });
 module.exports = __toCommonJS(handlers_exports);
 
+// src/errors.ts
+var IQAuthError = class extends Error {
+  constructor(code, message, status, raw) {
+    super(message);
+    this.name = "IQAuthError";
+    this.code = code;
+    this.status = status;
+    this.raw = raw;
+  }
+};
+
 // src/publishableKey.ts
 function b64urlDecode(input) {
   const pad = input.length % 4 === 0 ? "" : "=".repeat(4 - input.length % 4);
@@ -40,20 +51,60 @@ function b64urlDecode(input) {
   const { Buffer: Buffer2 } = require("buffer");
   return Buffer2.from(normalized, "base64").toString("utf8");
 }
-function parsePublishableKey(raw) {
-  if (typeof raw !== "string") return null;
-  const m = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
-  if (!m) return null;
+function isValidIssuerUrl(iss) {
+  if (typeof iss !== "string" || iss.length === 0) return false;
+  if (!iss.startsWith("http://") && !iss.startsWith("https://")) return false;
   try {
-    const json = JSON.parse(b64urlDecode(m[2]));
-    if (!json || typeof json !== "object") return null;
-    if (typeof json.iss !== "string" || typeof json.appId !== "string" || typeof json.tenantId !== "string" || typeof json.kid !== "string") {
-      return null;
-    }
-    return { mode: m[1], iss: json.iss, appId: json.appId, tenantId: json.tenantId, kid: json.kid, raw };
+    const u = new URL(iss);
+    if (u.protocol !== "http:" && u.protocol !== "https:") return false;
+    if (!u.hostname) return false;
+    return true;
+  } catch {
+    return false;
+  }
+}
+function assertPublishableKey(raw, opts) {
+  const ctx = opts?.context ? `${opts.context}: ` : "";
+  if (typeof raw !== "string" || raw.length === 0) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key is missing. Set IQAUTH_PUBLISHABLE_KEY (or pass publishableKey) to a pk_test_\u2026 or pk_live_\u2026 value from the IQAuth admin console.`
+    );
+  }
+  const shapeMatch = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
+  if (!shapeMatch) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key is malformed (got ${raw.slice(0, 12)}\u2026). Expected pk_test_\u2026 or pk_live_\u2026; regenerate the key from the IQAuth admin console.`
+    );
+  }
+  let decoded;
+  try {
+    decoded = JSON.parse(b64urlDecode(shapeMatch[2]));
   } catch {
-    return null;
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key payload is not valid base64url JSON. Regenerate the key from the IQAuth admin console.`
+    );
+  }
+  if (!isPublishableKeyPayload(decoded)) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key payload is missing required fields {iss, appId, tenantId, kid}. Regenerate the key from the IQAuth admin console.`
+    );
   }
+  if (!isValidIssuerUrl(decoded.iss)) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console, or set IQAUTH_ISSUER to the correct issuer URL as a temporary workaround.`
+    );
+  }
+  return { mode: shapeMatch[1], iss: decoded.iss, appId: decoded.appId, tenantId: decoded.tenantId, kid: decoded.kid, raw };
+}
+function isPublishableKeyPayload(value) {
+  if (!value || typeof value !== "object") return false;
+  const v = value;
+  return typeof v.iss === "string" && typeof v.appId === "string" && typeof v.tenantId === "string" && typeof v.kid === "string";
 }
 
 // src/server/handlers.ts
@@ -76,12 +127,7 @@ function shouldClearCookiesOnFailure(policy, status, errorCode) {
 var ACCESS_TOKEN_TTL_SECONDS = 60 * 15;
 var REFRESH_TOKEN_TTL_SECONDS = 60 * 60 * 24 * 30;
 function resolve(config) {
-  const parsed = parsePublishableKey(config.publishableKey);
-  if (!parsed) {
-    throw new Error(
-      "@iqauth/sdk: invalid publishable key passed to iqAuth helpers (expected pk_test_\u2026 or pk_live_\u2026)"
-    );
-  }
+  const parsed = assertPublishableKey(config.publishableKey, { context: "@iqauth/sdk helpers" });
   const inferredIssuer = parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`;
   return {
     publishableKey: config.publishableKey,

package/dist/server/handlers.mjs

@@ -3,8 +3,9 @@ import {
   handleRefresh,
   handleSignout,
   serializeCookie
-} from "../chunk-JQRTY5MY.mjs";
-import "../chunk-5WFR6Y33.mjs";
+} from "../chunk-M4J6BPK7.mjs";
+import "../chunk-QEJB7WEQ.mjs";
+import "../chunk-6I6RM4MN.mjs";
 import "../chunk-Y6FXYEAI.mjs";
 export {
   handleCallback,

package/dist/server.js

@@ -1813,20 +1813,60 @@ function b64urlDecode(input) {
   const { Buffer: Buffer2 } = require("buffer");
   return Buffer2.from(normalized, "base64").toString("utf8");
 }
-function parsePublishableKey(raw) {
-  if (typeof raw !== "string") return null;
-  const m = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
-  if (!m) return null;
+function isValidIssuerUrl(iss) {
+  if (typeof iss !== "string" || iss.length === 0) return false;
+  if (!iss.startsWith("http://") && !iss.startsWith("https://")) return false;
   try {
-    const json = JSON.parse(b64urlDecode(m[2]));
-    if (!json || typeof json !== "object") return null;
-    if (typeof json.iss !== "string" || typeof json.appId !== "string" || typeof json.tenantId !== "string" || typeof json.kid !== "string") {
-      return null;
-    }
-    return { mode: m[1], iss: json.iss, appId: json.appId, tenantId: json.tenantId, kid: json.kid, raw };
+    const u = new URL(iss);
+    if (u.protocol !== "http:" && u.protocol !== "https:") return false;
+    if (!u.hostname) return false;
+    return true;
   } catch {
-    return null;
+    return false;
+  }
+}
+function assertPublishableKey(raw, opts) {
+  const ctx = opts?.context ? `${opts.context}: ` : "";
+  if (typeof raw !== "string" || raw.length === 0) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key is missing. Set IQAUTH_PUBLISHABLE_KEY (or pass publishableKey) to a pk_test_\u2026 or pk_live_\u2026 value from the IQAuth admin console.`
+    );
+  }
+  const shapeMatch = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
+  if (!shapeMatch) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key is malformed (got ${raw.slice(0, 12)}\u2026). Expected pk_test_\u2026 or pk_live_\u2026; regenerate the key from the IQAuth admin console.`
+    );
+  }
+  let decoded;
+  try {
+    decoded = JSON.parse(b64urlDecode(shapeMatch[2]));
+  } catch {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key payload is not valid base64url JSON. Regenerate the key from the IQAuth admin console.`
+    );
+  }
+  if (!isPublishableKeyPayload(decoded)) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key payload is missing required fields {iss, appId, tenantId, kid}. Regenerate the key from the IQAuth admin console.`
+    );
+  }
+  if (!isValidIssuerUrl(decoded.iss)) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console, or set IQAUTH_ISSUER to the correct issuer URL as a temporary workaround.`
+    );
   }
+  return { mode: shapeMatch[1], iss: decoded.iss, appId: decoded.appId, tenantId: decoded.tenantId, kid: decoded.kid, raw };
+}
+function isPublishableKeyPayload(value) {
+  if (!value || typeof value !== "object") return false;
+  const v = value;
+  return typeof v.iss === "string" && typeof v.appId === "string" && typeof v.tenantId === "string" && typeof v.kid === "string";
 }
 
 // src/middleware/express.ts
@@ -1865,10 +1905,7 @@ function readCookie(req, name) {
   return void 0;
 }
 function clientFromPublishableKey(opts) {
-  const parsed = parsePublishableKey(opts.publishableKey);
-  if (!parsed) {
-    throw new Error("iqAuthMiddleware: invalid publishable key");
-  }
+  const parsed = assertPublishableKey(opts.publishableKey, { context: "iqAuthMiddleware" });
   const issuer = (opts.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
   return new IQAuthClient({ baseUrl: issuer, environment: "server" });
 }
@@ -2010,12 +2047,7 @@ function shouldClearCookiesOnFailure(policy, status, errorCode) {
 var ACCESS_TOKEN_TTL_SECONDS = 60 * 15;
 var REFRESH_TOKEN_TTL_SECONDS = 60 * 60 * 24 * 30;
 function resolve(config) {
-  const parsed = parsePublishableKey(config.publishableKey);
-  if (!parsed) {
-    throw new Error(
-      "@iqauth/sdk: invalid publishable key passed to iqAuth helpers (expected pk_test_\u2026 or pk_live_\u2026)"
-    );
-  }
+  const parsed = assertPublishableKey(config.publishableKey, { context: "@iqauth/sdk helpers" });
   const inferredIssuer = parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`;
   return {
     publishableKey: config.publishableKey,

package/dist/server.mjs

@@ -2,14 +2,14 @@ import {
   DEFAULT_ACCESS_COOKIE,
   DEFAULT_REFRESH_COOKIE,
   iqAuthMiddleware
-} from "./chunk-ZESHDJDU.mjs";
+} from "./chunk-D72UL5HL.mjs";
 import {
   handleCallback,
   handleRefresh,
   handleSignout,
   serializeCookie
-} from "./chunk-JQRTY5MY.mjs";
-import "./chunk-5WFR6Y33.mjs";
+} from "./chunk-M4J6BPK7.mjs";
+import "./chunk-QEJB7WEQ.mjs";
 import {
   IQAuthClient
 } from "./chunk-MDUHPQMM.mjs";

package/dist/{signIn-VRNzlNyG.d.ts → signIn-BVDTIA_t.d.ts}

@@ -1,4 +1,4 @@
-import { b as ParsedPublishableKey } from './publishableKey-B5DIK81A.js';
+import { c as ParsedPublishableKey } from './publishableKey-BaR0HoAH.js';
 import { d as SessionUser, J as JwtClaims } from './types-Cxl3bQHt.js';
 
 /**

package/dist/{signIn-CEMdUAwd.d.mts → signIn-D_kP3v-c.d.mts}

@@ -1,4 +1,4 @@
-import { b as ParsedPublishableKey } from './publishableKey-B5DIK81A.mjs';
+import { c as ParsedPublishableKey } from './publishableKey-BaR0HoAH.mjs';
 import { d as SessionUser, J as JwtClaims } from './types-Cxl3bQHt.mjs';
 
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@iqauth/sdk",
-  "version": "2.0.5",
+  "version": "2.2.0",
   "description": "TypeScript SDK for IQAuth — the canonical way for all IQ projects to integrate with IQAuthService",
   "main": "dist/index.js",
   "module": "dist/index.mjs",

package/dist/chunk-5WFR6Y33.mjs

@@ -1,59 +0,0 @@
-import {
-  __require
-} from "./chunk-Y6FXYEAI.mjs";
-
-// src/publishableKey.ts
-function b64urlEncode(input) {
-  if (typeof btoa === "function") {
-    const bytes = new TextEncoder().encode(input);
-    let bin = "";
-    for (let i = 0; i < bytes.byteLength; i++) bin += String.fromCharCode(bytes[i]);
-    return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
-  }
-  const { Buffer } = __require("buffer");
-  return Buffer.from(input, "utf8").toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
-}
-function b64urlDecode(input) {
-  const pad = input.length % 4 === 0 ? "" : "=".repeat(4 - input.length % 4);
-  const normalized = input.replace(/-/g, "+").replace(/_/g, "/") + pad;
-  if (typeof atob === "function") {
-    const bin = atob(normalized);
-    const bytes = new Uint8Array(bin.length);
-    for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
-    return new TextDecoder().decode(bytes);
-  }
-  const { Buffer } = __require("buffer");
-  return Buffer.from(normalized, "base64").toString("utf8");
-}
-function encodePublishableKey(mode, payload) {
-  if (mode !== "test" && mode !== "live") throw new Error(`Invalid mode: ${mode}`);
-  return `pk_${mode}_${b64urlEncode(JSON.stringify(payload))}`;
-}
-function parsePublishableKey(raw) {
-  if (typeof raw !== "string") return null;
-  const m = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
-  if (!m) return null;
-  try {
-    const json = JSON.parse(b64urlDecode(m[2]));
-    if (!json || typeof json !== "object") return null;
-    if (typeof json.iss !== "string" || typeof json.appId !== "string" || typeof json.tenantId !== "string" || typeof json.kid !== "string") {
-      return null;
-    }
-    return { mode: m[1], iss: json.iss, appId: json.appId, tenantId: json.tenantId, kid: json.kid, raw };
-  } catch {
-    return null;
-  }
-}
-function isPublishableKey(raw) {
-  return typeof raw === "string" && /^pk_(test|live)_/.test(raw);
-}
-function isSecretKey(raw) {
-  return typeof raw === "string" && /^sk_(test|live)_/.test(raw);
-}
-
-export {
-  encodePublishableKey,
-  parsePublishableKey,
-  isPublishableKey,
-  isSecretKey
-};