@iqauth/sdk 2.2.0 → 2.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +134 -0
- package/dist/browser-session.d.mts +3 -3
- package/dist/browser-session.d.ts +3 -3
- package/dist/browser-session.js +89 -68
- package/dist/browser-session.mjs +2 -1
- package/dist/browser.d.mts +64 -29
- package/dist/browser.d.ts +64 -29
- package/dist/browser.js +794 -39
- package/dist/browser.mjs +44 -4
- package/dist/bundle-LUKDQYVQ.mjs +374 -0
- package/dist/chunk-3JULWS6F.mjs +106 -0
- package/dist/chunk-5T7GHBX6.mjs +1165 -0
- package/dist/{chunk-M4J6BPK7.mjs → chunk-6TDJJER7.mjs} +12 -3
- package/dist/{chunk-QZB745C2.mjs → chunk-76W5TLQQ.mjs} +264 -211
- package/dist/{chunk-D72UL5HL.mjs → chunk-BVV54LPI.mjs} +36 -4
- package/dist/chunk-LIZYFXH7.mjs +90 -0
- package/dist/chunk-MKKZULZR.mjs +241 -0
- package/dist/chunk-SL3KRS4W.mjs +54 -0
- package/dist/chunk-TKZTCPEK.mjs +232 -0
- package/dist/chunk-UKZLOHZG.mjs +83 -0
- package/dist/chunk-UNYDG2L4.mjs +209 -0
- package/dist/{chunk-MDUHPQMM.mjs → chunk-W3F4JYGP.mjs} +8 -180
- package/dist/{chunk-QEJB7WEQ.mjs → chunk-WQWBJSSS.mjs} +1 -1
- package/dist/cli/index.js +144 -36
- package/dist/cli/index.mjs +1 -1
- package/dist/{client-DXbHb2ul.d.ts → client-BNQe3AgF.d.ts} +3 -67
- package/dist/{client-Dv4v92Mj.d.mts → client-kYlJFgPv.d.mts} +3 -67
- package/dist/doctor-YYNHNMLD.mjs +198 -0
- package/dist/{express-BZmF1llh.d.mts → express-B6_1vBYZ.d.mts} +23 -2
- package/dist/{express-B4o3P8vK.d.ts → express-CHpfa7D_.d.ts} +23 -2
- package/dist/express.d.mts +77 -6
- package/dist/express.d.ts +77 -6
- package/dist/express.js +336 -74
- package/dist/express.mjs +209 -8
- package/dist/fastify.js +103 -72
- package/dist/fastify.mjs +6 -4
- package/dist/hono.js +102 -72
- package/dist/hono.mjs +5 -4
- package/dist/index.d.mts +8 -4
- package/dist/index.d.ts +8 -4
- package/dist/index.js +590 -73
- package/dist/index.mjs +30 -8
- package/dist/locales.d.mts +53 -0
- package/dist/locales.d.ts +53 -0
- package/dist/locales.js +1202 -0
- package/dist/locales.mjs +29 -0
- package/dist/mobile.d.mts +3 -3
- package/dist/mobile.d.ts +3 -3
- package/dist/mobile.js +89 -68
- package/dist/mobile.mjs +2 -1
- package/dist/next.d.mts +10 -1
- package/dist/next.d.ts +10 -1
- package/dist/next.js +101 -1618
- package/dist/next.mjs +9 -9
- package/dist/provisioningBridge-88xjOS2n.d.mts +86 -0
- package/dist/provisioningBridge-DnTfzdZK.d.ts +86 -0
- package/dist/react.d.mts +1349 -10
- package/dist/react.d.ts +1349 -10
- package/dist/react.js +2998 -569
- package/dist/react.mjs +1518 -95
- package/dist/reverify-4UEJXUS6.mjs +16 -0
- package/dist/server/handlers.d.mts +12 -1
- package/dist/server/handlers.d.ts +12 -1
- package/dist/server/handlers.js +12 -3
- package/dist/server/handlers.mjs +2 -2
- package/dist/server.d.mts +5 -4
- package/dist/server.d.ts +5 -4
- package/dist/server.js +188 -73
- package/dist/server.mjs +13 -8
- package/dist/service.d.mts +3 -3
- package/dist/service.d.ts +3 -3
- package/dist/service.js +89 -68
- package/dist/service.mjs +2 -1
- package/dist/signIn-CCY4JE5G.mjs +15 -0
- package/dist/{signIn-D_kP3v-c.d.mts → signIn-CiIBTJIh.d.mts} +232 -4
- package/dist/{signIn-BVDTIA_t.d.ts → signIn-OCr88Zf8.d.ts} +232 -4
- package/dist/test.d.mts +86 -0
- package/dist/test.d.ts +86 -0
- package/dist/test.js +289 -0
- package/dist/test.mjs +9 -0
- package/dist/tokens-DCyzzn8L.d.mts +63 -0
- package/dist/tokens-aHiGFr_E.d.ts +63 -0
- package/dist/types-6bNdxesb.d.mts +196 -0
- package/dist/types-6bNdxesb.d.ts +196 -0
- package/dist/{types-Cxl3bQHt.d.ts → types-DZAflmmq.d.mts} +6 -0
- package/dist/{types-Cxl3bQHt.d.mts → types-DZAflmmq.d.ts} +6 -0
- package/dist/webhooks.d.mts +61 -0
- package/dist/webhooks.d.ts +61 -0
- package/dist/webhooks.js +119 -0
- package/dist/webhooks.mjs +11 -0
- package/dist/ws.d.mts +73 -0
- package/dist/ws.d.ts +73 -0
- package/dist/ws.js +397 -0
- package/dist/ws.mjs +12 -0
- package/package.json +24 -3
- package/dist/doctor-XCI77BQS.mjs +0 -90
package/dist/hono.js
CHANGED
|
@@ -406,8 +406,7 @@ function parseMfaResponse(data, browserSessionMode) {
|
|
|
406
406
|
}
|
|
407
407
|
|
|
408
408
|
// src/modules/tokens.ts
|
|
409
|
-
var
|
|
410
|
-
var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
|
|
409
|
+
var import_jose = require("jose");
|
|
411
410
|
var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
|
|
412
411
|
var DEFAULT_TOKEN_ISSUER = [
|
|
413
412
|
"https://auth.dispositioniq.com",
|
|
@@ -420,6 +419,24 @@ var DEFAULT_TOKEN_AUDIENCE = [
|
|
|
420
419
|
"iqvalidate"
|
|
421
420
|
];
|
|
422
421
|
var DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
|
|
422
|
+
function decodeProtectedHeader(token) {
|
|
423
|
+
const parts = token.split(".");
|
|
424
|
+
if (parts.length < 2) return null;
|
|
425
|
+
try {
|
|
426
|
+
const padded = parts[0] + "=".repeat((4 - parts[0].length % 4) % 4);
|
|
427
|
+
const b64 = padded.replace(/-/g, "+").replace(/_/g, "/");
|
|
428
|
+
let json;
|
|
429
|
+
if (typeof atob === "function") {
|
|
430
|
+
json = atob(b64);
|
|
431
|
+
} else {
|
|
432
|
+
const { Buffer: Buffer2 } = require("buffer");
|
|
433
|
+
json = Buffer2.from(b64, "base64").toString("utf8");
|
|
434
|
+
}
|
|
435
|
+
return JSON.parse(json);
|
|
436
|
+
} catch {
|
|
437
|
+
return null;
|
|
438
|
+
}
|
|
439
|
+
}
|
|
423
440
|
var TokensModule = class {
|
|
424
441
|
constructor(baseUrl, options = {}) {
|
|
425
442
|
this.jwksCache = null;
|
|
@@ -430,49 +447,49 @@ var TokensModule = class {
|
|
|
430
447
|
this.defaultClockTolerance = options.clockTolerance ?? DEFAULT_CLOCK_TOLERANCE_SECONDS;
|
|
431
448
|
}
|
|
432
449
|
/**
|
|
433
|
-
* Verify a JWT access token using RS256 via JWKS from
|
|
434
|
-
*
|
|
435
|
-
*
|
|
436
|
-
*
|
|
437
|
-
* clock tolerance default to client config but can be overridden per call.
|
|
450
|
+
* Verify a JWT access token using RS256/ES256 via JWKS from
|
|
451
|
+
* `/.well-known/jwks.json`. Backed by `jose` (Web Crypto) so it runs on
|
|
452
|
+
* Node, browser, and edge runtimes alike — no `node:crypto` dependency.
|
|
453
|
+
* Caches JWKS for 1 hour and refetches once on unknown `kid`.
|
|
438
454
|
*/
|
|
439
455
|
async verify(token, options = {}) {
|
|
440
|
-
const
|
|
441
|
-
if (!
|
|
456
|
+
const header = decodeProtectedHeader(token);
|
|
457
|
+
if (!header) {
|
|
442
458
|
throw new IQAuthError("TOKEN_INVALID", "Unable to decode token");
|
|
443
459
|
}
|
|
444
|
-
const kid =
|
|
460
|
+
const kid = header.kid;
|
|
445
461
|
if (!kid) {
|
|
446
462
|
throw new IQAuthError("TOKEN_INVALID", "Token missing kid header");
|
|
447
463
|
}
|
|
448
|
-
let
|
|
449
|
-
if (!
|
|
450
|
-
|
|
451
|
-
|
|
464
|
+
let cache = await this.ensureCache();
|
|
465
|
+
if (!cache.byKid.has(kid)) {
|
|
466
|
+
this.jwksCache = null;
|
|
467
|
+
cache = await this.ensureCache();
|
|
452
468
|
}
|
|
453
|
-
if (!
|
|
469
|
+
if (!cache.byKid.has(kid)) {
|
|
454
470
|
throw new IQAuthError("TOKEN_INVALID", `Unknown key ID: ${kid}`);
|
|
455
471
|
}
|
|
456
472
|
const issuer = options.issuer ?? this.defaultIssuer;
|
|
457
473
|
const audience = options.audience ?? this.defaultAudience;
|
|
458
474
|
const clockTolerance = options.clockTolerance ?? this.defaultClockTolerance;
|
|
459
|
-
const algorithms = options.algorithms ?? ["RS256"];
|
|
475
|
+
const algorithms = options.algorithms ?? ["RS256", "ES256"];
|
|
476
|
+
const verifyOptions = {
|
|
477
|
+
algorithms,
|
|
478
|
+
clockTolerance,
|
|
479
|
+
issuer,
|
|
480
|
+
audience
|
|
481
|
+
};
|
|
460
482
|
try {
|
|
461
|
-
const
|
|
462
|
-
|
|
463
|
-
clockTolerance,
|
|
464
|
-
// The jsonwebtoken types insist on tuple types for arrays; runtime
|
|
465
|
-
// accepts plain string[] so we cast to satisfy the compiler.
|
|
466
|
-
issuer,
|
|
467
|
-
audience
|
|
468
|
-
};
|
|
469
|
-
const verified = import_jsonwebtoken.default.verify(token, publicKey, verifyOptions);
|
|
470
|
-
return verified;
|
|
483
|
+
const { payload } = await (0, import_jose.jwtVerify)(token, cache.verifier, verifyOptions);
|
|
484
|
+
return payload;
|
|
471
485
|
} catch (err) {
|
|
486
|
+
if (err instanceof import_jose.errors.JWTExpired) {
|
|
487
|
+
throw new IQAuthError("TOKEN_EXPIRED", "Token has expired");
|
|
488
|
+
}
|
|
489
|
+
if (err instanceof import_jose.errors.JOSEError) {
|
|
490
|
+
throw new IQAuthError("TOKEN_INVALID", err.message);
|
|
491
|
+
}
|
|
472
492
|
if (err instanceof Error) {
|
|
473
|
-
if (err.name === "TokenExpiredError") {
|
|
474
|
-
throw new IQAuthError("TOKEN_EXPIRED", "Token has expired");
|
|
475
|
-
}
|
|
476
493
|
throw new IQAuthError("TOKEN_INVALID", err.message);
|
|
477
494
|
}
|
|
478
495
|
throw new IQAuthError("TOKEN_INVALID", "Token verification failed");
|
|
@@ -480,29 +497,40 @@ var TokensModule = class {
|
|
|
480
497
|
}
|
|
481
498
|
/**
|
|
482
499
|
* Decode a JWT without verification. Returns null if malformed.
|
|
483
|
-
*
|
|
484
|
-
* @remarks Local decode only — no network call
|
|
485
500
|
*/
|
|
486
501
|
decode(token) {
|
|
487
|
-
|
|
488
|
-
|
|
502
|
+
try {
|
|
503
|
+
const parts = token.split(".");
|
|
504
|
+
if (parts.length < 2) return null;
|
|
505
|
+
const payload = parts[1];
|
|
506
|
+
const padded = payload + "=".repeat((4 - payload.length % 4) % 4);
|
|
507
|
+
const b64 = padded.replace(/-/g, "+").replace(/_/g, "/");
|
|
508
|
+
let json;
|
|
509
|
+
if (typeof atob === "function") {
|
|
510
|
+
json = atob(b64);
|
|
511
|
+
} else {
|
|
512
|
+
const { Buffer: Buffer2 } = require("buffer");
|
|
513
|
+
json = Buffer2.from(b64, "base64").toString("utf8");
|
|
514
|
+
}
|
|
515
|
+
try {
|
|
516
|
+
json = decodeURIComponent(escape(json));
|
|
517
|
+
} catch {
|
|
518
|
+
}
|
|
519
|
+
const claims = JSON.parse(json);
|
|
520
|
+
if (!claims || typeof claims !== "object") return null;
|
|
521
|
+
return claims;
|
|
522
|
+
} catch {
|
|
523
|
+
return null;
|
|
524
|
+
}
|
|
489
525
|
}
|
|
490
|
-
/**
|
|
491
|
-
* Check if a token is expired based on the `exp` claim.
|
|
492
|
-
*
|
|
493
|
-
* @remarks Local check only — no network call
|
|
494
|
-
*/
|
|
526
|
+
/** Check if a token is expired based on the `exp` claim. */
|
|
495
527
|
isExpired(token) {
|
|
496
528
|
const claims = this.decode(token);
|
|
497
529
|
if (!claims?.exp) return true;
|
|
498
530
|
const now = Math.floor(Date.now() / 1e3);
|
|
499
531
|
return claims.exp <= now;
|
|
500
532
|
}
|
|
501
|
-
/**
|
|
502
|
-
* Get the claims from a token without verification.
|
|
503
|
-
*
|
|
504
|
-
* @remarks Local decode only — no network call
|
|
505
|
-
*/
|
|
533
|
+
/** Get the claims from a token without verification. */
|
|
506
534
|
getClaims(token) {
|
|
507
535
|
const claims = this.decode(token);
|
|
508
536
|
if (!claims) {
|
|
@@ -510,11 +538,15 @@ var TokensModule = class {
|
|
|
510
538
|
}
|
|
511
539
|
return claims;
|
|
512
540
|
}
|
|
513
|
-
async
|
|
514
|
-
if (
|
|
515
|
-
|
|
541
|
+
async ensureCache() {
|
|
542
|
+
if (this.jwksCache && Date.now() - this.jwksCache.fetchedAt <= JWKS_CACHE_TTL_MS) {
|
|
543
|
+
return this.jwksCache;
|
|
544
|
+
}
|
|
545
|
+
await this.refreshJwks();
|
|
546
|
+
if (!this.jwksCache) {
|
|
547
|
+
throw new IQAuthError("INTERNAL_ERROR", "JWKS cache unavailable after refresh");
|
|
516
548
|
}
|
|
517
|
-
return this.jwksCache
|
|
549
|
+
return this.jwksCache;
|
|
518
550
|
}
|
|
519
551
|
async refreshJwks() {
|
|
520
552
|
if (this.inFlightRefresh) {
|
|
@@ -541,35 +573,24 @@ var TokensModule = class {
|
|
|
541
573
|
"Malformed JWKS response: expected { keys: [...] }"
|
|
542
574
|
);
|
|
543
575
|
}
|
|
544
|
-
const
|
|
576
|
+
const byKid = /* @__PURE__ */ new Set();
|
|
545
577
|
for (const key of jwks.keys) {
|
|
546
|
-
if (!key || typeof key.kid !== "string" || typeof key.n !== "string" || typeof key.e !== "string") {
|
|
578
|
+
if (!key || typeof key.kid !== "string" || typeof key.n !== "string" && typeof key.x !== "string" || key.kty === "RSA" && (typeof key.n !== "string" || typeof key.e !== "string")) {
|
|
547
579
|
throw new IQAuthError(
|
|
548
580
|
"INTERNAL_ERROR",
|
|
549
581
|
"Malformed JWKS response: key missing required fields"
|
|
550
582
|
);
|
|
551
583
|
}
|
|
552
|
-
|
|
553
|
-
keys.set(key.kid, pem);
|
|
584
|
+
byKid.add(key.kid);
|
|
554
585
|
}
|
|
555
|
-
|
|
586
|
+
const verifier = (0, import_jose.createLocalJWKSet)({ keys: jwks.keys });
|
|
587
|
+
this.jwksCache = { raw: jwks.keys, byKid, verifier, fetchedAt: Date.now() };
|
|
556
588
|
} finally {
|
|
557
589
|
this.inFlightRefresh = null;
|
|
558
590
|
}
|
|
559
591
|
})();
|
|
560
592
|
return this.inFlightRefresh;
|
|
561
593
|
}
|
|
562
|
-
jwkToPem(jwk) {
|
|
563
|
-
const keyObject = import_crypto.default.createPublicKey({
|
|
564
|
-
key: {
|
|
565
|
-
kty: jwk.kty,
|
|
566
|
-
n: jwk.n,
|
|
567
|
-
e: jwk.e
|
|
568
|
-
},
|
|
569
|
-
format: "jwk"
|
|
570
|
-
});
|
|
571
|
-
return keyObject.export({ type: "spki", format: "pem" });
|
|
572
|
-
}
|
|
573
594
|
/** @internal Exposed for testing — clears JWKS cache */
|
|
574
595
|
clearCache() {
|
|
575
596
|
this.jwksCache = null;
|
|
@@ -777,7 +798,7 @@ var PermissionsModule = class {
|
|
|
777
798
|
};
|
|
778
799
|
|
|
779
800
|
// src/modules/oidc.ts
|
|
780
|
-
var
|
|
801
|
+
var import_crypto = __toESM(require("crypto"));
|
|
781
802
|
var InMemoryOidcStateStore = class {
|
|
782
803
|
constructor() {
|
|
783
804
|
this.map = /* @__PURE__ */ new Map();
|
|
@@ -858,12 +879,12 @@ var OidcModule = class {
|
|
|
858
879
|
* ready to redirect the user to.
|
|
859
880
|
*/
|
|
860
881
|
async createAuthRequest(params) {
|
|
861
|
-
const codeVerifier = base64UrlEncode(
|
|
882
|
+
const codeVerifier = base64UrlEncode(import_crypto.default.randomBytes(32));
|
|
862
883
|
const codeChallenge = base64UrlEncode(
|
|
863
|
-
|
|
884
|
+
import_crypto.default.createHash("sha256").update(codeVerifier).digest()
|
|
864
885
|
);
|
|
865
|
-
const state = base64UrlEncode(
|
|
866
|
-
const nonce = base64UrlEncode(
|
|
886
|
+
const state = base64UrlEncode(import_crypto.default.randomBytes(16));
|
|
887
|
+
const nonce = base64UrlEncode(import_crypto.default.randomBytes(16));
|
|
867
888
|
await this.stateStore.set(state, {
|
|
868
889
|
codeVerifier,
|
|
869
890
|
state,
|
|
@@ -1811,7 +1832,7 @@ function assertPublishableKey(raw, opts) {
|
|
|
1811
1832
|
if (!isValidIssuerUrl(decoded.iss)) {
|
|
1812
1833
|
throw new IQAuthError(
|
|
1813
1834
|
"CONFIG_INVALID",
|
|
1814
|
-
`${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console
|
|
1835
|
+
`${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console \u2014 the new key will encode a valid issuer URL.`
|
|
1815
1836
|
);
|
|
1816
1837
|
}
|
|
1817
1838
|
return { mode: shapeMatch[1], iss: decoded.iss, appId: decoded.appId, tenantId: decoded.tenantId, kid: decoded.kid, raw };
|
|
@@ -1848,8 +1869,8 @@ function resolve(config) {
|
|
|
1848
1869
|
publishableKey: config.publishableKey,
|
|
1849
1870
|
secretKey: config.secretKey,
|
|
1850
1871
|
issuer: (config.issuer ?? inferredIssuer).replace(/\/+$/, ""),
|
|
1851
|
-
accessCookieName: config.accessCookieName ?? "iqauth_at",
|
|
1852
|
-
refreshCookieName: config.refreshCookieName ?? "iqauth_rt",
|
|
1872
|
+
accessCookieName: config.accessCookieName ?? config.cookieNames?.access ?? "iqauth_at",
|
|
1873
|
+
refreshCookieName: config.refreshCookieName ?? config.cookieNames?.refresh ?? "iqauth_rt",
|
|
1853
1874
|
cookieDomain: config.cookieDomain,
|
|
1854
1875
|
sameSite: config.sameSite ?? "lax",
|
|
1855
1876
|
secure: config.secure ?? true,
|
|
@@ -2013,6 +2034,15 @@ async function handleSignout(config, input) {
|
|
|
2013
2034
|
} catch {
|
|
2014
2035
|
}
|
|
2015
2036
|
}
|
|
2037
|
+
if (input.endSsoSession !== false && input.ssoCookieHeader) {
|
|
2038
|
+
try {
|
|
2039
|
+
await cfg.fetchImpl(`${cfg.issuer}/oidc/sso-logout`, {
|
|
2040
|
+
method: "POST",
|
|
2041
|
+
headers: { Cookie: input.ssoCookieHeader }
|
|
2042
|
+
});
|
|
2043
|
+
} catch {
|
|
2044
|
+
}
|
|
2045
|
+
}
|
|
2016
2046
|
return {
|
|
2017
2047
|
status: 200,
|
|
2018
2048
|
body: { success: true, data: { signedOut: true } },
|
|
@@ -2083,7 +2113,7 @@ function iqAuth(options) {
|
|
|
2083
2113
|
if (path === `${mount}/signout`) {
|
|
2084
2114
|
const auth2 = c.req.header("authorization");
|
|
2085
2115
|
const accessToken = auth2 && auth2.replace(/^Bearer /i, "") || readCookieFromHeader(cookieHeader, accessCookie);
|
|
2086
|
-
return honoResponse(await handleSignout(helperConfig, { accessToken }));
|
|
2116
|
+
return honoResponse(await handleSignout(helperConfig, { accessToken, ssoCookieHeader: cookieHeader }));
|
|
2087
2117
|
}
|
|
2088
2118
|
}
|
|
2089
2119
|
if (isPublic(path)) return next();
|
package/dist/hono.mjs
CHANGED
|
@@ -3,13 +3,14 @@ import {
|
|
|
3
3
|
handleRefresh,
|
|
4
4
|
handleSignout,
|
|
5
5
|
serializeCookie
|
|
6
|
-
} from "./chunk-
|
|
6
|
+
} from "./chunk-6TDJJER7.mjs";
|
|
7
7
|
import {
|
|
8
8
|
assertPublishableKey
|
|
9
|
-
} from "./chunk-
|
|
9
|
+
} from "./chunk-WQWBJSSS.mjs";
|
|
10
10
|
import {
|
|
11
11
|
IQAuthClient
|
|
12
|
-
} from "./chunk-
|
|
12
|
+
} from "./chunk-W3F4JYGP.mjs";
|
|
13
|
+
import "./chunk-UNYDG2L4.mjs";
|
|
13
14
|
import {
|
|
14
15
|
IQAuthError
|
|
15
16
|
} from "./chunk-6I6RM4MN.mjs";
|
|
@@ -78,7 +79,7 @@ function iqAuth(options) {
|
|
|
78
79
|
if (path === `${mount}/signout`) {
|
|
79
80
|
const auth2 = c.req.header("authorization");
|
|
80
81
|
const accessToken = auth2 && auth2.replace(/^Bearer /i, "") || readCookieFromHeader(cookieHeader, accessCookie);
|
|
81
|
-
return honoResponse(await handleSignout(helperConfig, { accessToken }));
|
|
82
|
+
return honoResponse(await handleSignout(helperConfig, { accessToken, ssoCookieHeader: cookieHeader }));
|
|
82
83
|
}
|
|
83
84
|
}
|
|
84
85
|
if (isPublic(path)) return next();
|
package/dist/index.d.mts
CHANGED
|
@@ -1,6 +1,10 @@
|
|
|
1
|
-
export {
|
|
1
|
+
export { j as ApiKeysModule, g as AppsModule, A as AuthModule, B as BrandingModule, m as ClientsModule, C as CreateAppRequest, h as CreateAppResponse, E as EntitlementsModule, G as GdprModule, H as HierarchyModule, I as IQAuthClient, a as InMemoryOidcStateStore, k as InvitesModule, M as MembershipsModule, p as MfaModule, d as OidcAuthRequest, e as OidcCallbackResult, O as OidcModule, f as OidcModuleOptions, b as OidcStateStore, c as OidcStoredRequest, i as PermissionGroupsModule, P as PermissionsModule, o as PinModule, R as RolesModule, n as ScopeModule, S as SessionsModule, l as SourcesModule, T as TenantsModule, U as UsersModule, V as VendorsModule, W as WebhooksModule } from './client-kYlJFgPv.mjs';
|
|
2
2
|
export { a as ErrorCode, E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
|
|
3
|
-
export { i as iqAuthMiddleware } from './express-
|
|
3
|
+
export { i as iqAuthMiddleware } from './express-B6_1vBYZ.mjs';
|
|
4
|
+
export { b as DEFAULT_CLOCK_TOLERANCE_SECONDS, a as DEFAULT_TOKEN_AUDIENCE, D as DEFAULT_TOKEN_ISSUER, c as TokenVerifyOptions, T as TokensModule, d as TokensModuleOptions } from './tokens-DCyzzn8L.mjs';
|
|
4
5
|
export { K as KeyMode, c as ParsedPublishableKey, P as PublishableKeyPayload, a as assertPublishableKey, e as encodePublishableKey, i as isPublishableKey, b as isSecretKey, p as parsePublishableKey } from './publishableKey-BaR0HoAH.mjs';
|
|
5
|
-
export {
|
|
6
|
-
|
|
6
|
+
export { VerifyWsUpgradeOptions, VerifyWsUpgradeResult, WsUpgradeRequestLike, verifyWsUpgrade } from './ws.mjs';
|
|
7
|
+
export { CreateTestIssuerOptions, MintAuthCodeOptions, MintTokenOptions, TestIssuer, createTestIssuer } from './test.mjs';
|
|
8
|
+
export { an as AcceptInviteRequest, aa as AddGroupPermissionRequest, ad as AddUserOverrideRequest, v as ApiErrorResponse, ag as ApiKeyInfo, aj as ApiKeyIntrospection, w as ApiResponse, A as ApiSuccessResponse, _ as AppInfo, Z as AppManifest, a0 as AppSyncResult, a4 as AssignRoleRequest, aM as AvailableScopesTree, a_ as BackupCodeCountResult, aZ as BackupCodesResult, p as BrandingAsset, B as BrandingConfig, r as BrandingDomainMapping, aB as Client, ah as CreateApiKeyRequest, ai as CreateApiKeyResult, aC as CreateClientRequest, al as CreateInviteRequest, aJ as CreateMembershipRequest, a2 as CreateRoleRequest, az as CreateSourceRequest, C as CreateTenantRequest, aw as CreateVendorRequest, ap as CreateWebhookRequest, aq as CreateWebhookResult, ae as EffectivePermission, aY as EmailEnrollResult, at as Entitlement, N as ExpressMiddlewareOptions, aR as GdprExportData, au as GrantEntitlementRequest, a9 as GroupPermission, aG as HierarchyClient, aH as HierarchyLink, aF as HierarchySource, aE as HierarchyVendor, c as IQAuthBrowserSessionClientConfig, a as IQAuthClientConfig, I as IQAuthEnvironment, V as IQAuthNextFunction, Q as IQAuthRequestLike, R as IQAuthResponseLike, W as IQAuthRetryConfig, b as IQAuthTokenClientConfig, X as IQAuthVerifyConfig, ab as InheritanceRelation, ak as Invitation, l as InviteTenantUserRequest, m as InviteTenantUserResult, am as InviteValidation, s as JwksKey, t as JwksResponse, J as JwtClaims, L as LoginResult, aI as Membership, aL as MembershipWithDetails, aU as MfaAvailableMethods, y as MfaEnrollment, x as MfaMethod, F as MfaPolicy, D as MfaVerifyResult, M as MigrateUserRequest, O as OidcDiscovery, u as OidcTokenResponse, E as PasswordPolicy, af as PermissionCheckResult, a8 as PermissionGroup, $ as PermissionNodeInfo, Y as PermissionNodeManifest, aT as PinLoginResult, aS as PinStatus, P as PromoteToVendorRequest, k as PromoteToVendorResult, H as ProvisionUserRequest, K as ProvisionUserResponse, a1 as Role, S as ScopeContext, aQ as ScopeSwitchResult, aN as ScopeTreeClient, aO as ScopeTreeSource, aP as ScopeTreeVendor, h as Session, g as SessionAuthenticatedLoginResult, d as SessionUser, aX as SmsEnrollResult, ay as Source, e as Tenant, i as TenantInfo, a7 as TenantUser, n as TenantUserRoleUpdate, f as TokenAuthenticatedLoginResult, T as TokenPair, aV as TotpEnrollResult, z as TotpEnrollmentResult, aW as TotpVerifyResult, o as UpdateBrandingRequest, aD as UpdateClientRequest, aK as UpdateMembershipRequest, a3 as UpdateRoleRequest, aA as UpdateSourceRequest, j as UpdateTenantRequest, ax as UpdateVendorRequest, q as UploadAssetRequest, a6 as UserGroupAssignment, ac as UserPermissionOverride, G as UserPermissions, U as UserProfile, a5 as UserRoleAssignment, av as Vendor, ar as WebhookDelivery, ao as WebhookEndpoint, as as WebhookTestResult } from './types-DZAflmmq.mjs';
|
|
9
|
+
export { IQAuthWebhookEvent, VerifyWebhookOptions, WebhookSignatureError, isValidWebhookSignature, verifyWebhookSignature } from './webhooks.mjs';
|
|
10
|
+
export { P as ProvisioningBridge, a as ProvisioningBridgeOptions, d as ProvisioningContext, b as ProvisioningStorage, c as createProvisioningBridge } from './provisioningBridge-88xjOS2n.mjs';
|
package/dist/index.d.ts
CHANGED
|
@@ -1,6 +1,10 @@
|
|
|
1
|
-
export {
|
|
1
|
+
export { j as ApiKeysModule, g as AppsModule, A as AuthModule, B as BrandingModule, m as ClientsModule, C as CreateAppRequest, h as CreateAppResponse, E as EntitlementsModule, G as GdprModule, H as HierarchyModule, I as IQAuthClient, a as InMemoryOidcStateStore, k as InvitesModule, M as MembershipsModule, p as MfaModule, d as OidcAuthRequest, e as OidcCallbackResult, O as OidcModule, f as OidcModuleOptions, b as OidcStateStore, c as OidcStoredRequest, i as PermissionGroupsModule, P as PermissionsModule, o as PinModule, R as RolesModule, n as ScopeModule, S as SessionsModule, l as SourcesModule, T as TenantsModule, U as UsersModule, V as VendorsModule, W as WebhooksModule } from './client-BNQe3AgF.js';
|
|
2
2
|
export { a as ErrorCode, E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
|
|
3
|
-
export { i as iqAuthMiddleware } from './express-
|
|
3
|
+
export { i as iqAuthMiddleware } from './express-CHpfa7D_.js';
|
|
4
|
+
export { b as DEFAULT_CLOCK_TOLERANCE_SECONDS, a as DEFAULT_TOKEN_AUDIENCE, D as DEFAULT_TOKEN_ISSUER, c as TokenVerifyOptions, T as TokensModule, d as TokensModuleOptions } from './tokens-aHiGFr_E.js';
|
|
4
5
|
export { K as KeyMode, c as ParsedPublishableKey, P as PublishableKeyPayload, a as assertPublishableKey, e as encodePublishableKey, i as isPublishableKey, b as isSecretKey, p as parsePublishableKey } from './publishableKey-BaR0HoAH.js';
|
|
5
|
-
export {
|
|
6
|
-
|
|
6
|
+
export { VerifyWsUpgradeOptions, VerifyWsUpgradeResult, WsUpgradeRequestLike, verifyWsUpgrade } from './ws.js';
|
|
7
|
+
export { CreateTestIssuerOptions, MintAuthCodeOptions, MintTokenOptions, TestIssuer, createTestIssuer } from './test.js';
|
|
8
|
+
export { an as AcceptInviteRequest, aa as AddGroupPermissionRequest, ad as AddUserOverrideRequest, v as ApiErrorResponse, ag as ApiKeyInfo, aj as ApiKeyIntrospection, w as ApiResponse, A as ApiSuccessResponse, _ as AppInfo, Z as AppManifest, a0 as AppSyncResult, a4 as AssignRoleRequest, aM as AvailableScopesTree, a_ as BackupCodeCountResult, aZ as BackupCodesResult, p as BrandingAsset, B as BrandingConfig, r as BrandingDomainMapping, aB as Client, ah as CreateApiKeyRequest, ai as CreateApiKeyResult, aC as CreateClientRequest, al as CreateInviteRequest, aJ as CreateMembershipRequest, a2 as CreateRoleRequest, az as CreateSourceRequest, C as CreateTenantRequest, aw as CreateVendorRequest, ap as CreateWebhookRequest, aq as CreateWebhookResult, ae as EffectivePermission, aY as EmailEnrollResult, at as Entitlement, N as ExpressMiddlewareOptions, aR as GdprExportData, au as GrantEntitlementRequest, a9 as GroupPermission, aG as HierarchyClient, aH as HierarchyLink, aF as HierarchySource, aE as HierarchyVendor, c as IQAuthBrowserSessionClientConfig, a as IQAuthClientConfig, I as IQAuthEnvironment, V as IQAuthNextFunction, Q as IQAuthRequestLike, R as IQAuthResponseLike, W as IQAuthRetryConfig, b as IQAuthTokenClientConfig, X as IQAuthVerifyConfig, ab as InheritanceRelation, ak as Invitation, l as InviteTenantUserRequest, m as InviteTenantUserResult, am as InviteValidation, s as JwksKey, t as JwksResponse, J as JwtClaims, L as LoginResult, aI as Membership, aL as MembershipWithDetails, aU as MfaAvailableMethods, y as MfaEnrollment, x as MfaMethod, F as MfaPolicy, D as MfaVerifyResult, M as MigrateUserRequest, O as OidcDiscovery, u as OidcTokenResponse, E as PasswordPolicy, af as PermissionCheckResult, a8 as PermissionGroup, $ as PermissionNodeInfo, Y as PermissionNodeManifest, aT as PinLoginResult, aS as PinStatus, P as PromoteToVendorRequest, k as PromoteToVendorResult, H as ProvisionUserRequest, K as ProvisionUserResponse, a1 as Role, S as ScopeContext, aQ as ScopeSwitchResult, aN as ScopeTreeClient, aO as ScopeTreeSource, aP as ScopeTreeVendor, h as Session, g as SessionAuthenticatedLoginResult, d as SessionUser, aX as SmsEnrollResult, ay as Source, e as Tenant, i as TenantInfo, a7 as TenantUser, n as TenantUserRoleUpdate, f as TokenAuthenticatedLoginResult, T as TokenPair, aV as TotpEnrollResult, z as TotpEnrollmentResult, aW as TotpVerifyResult, o as UpdateBrandingRequest, aD as UpdateClientRequest, aK as UpdateMembershipRequest, a3 as UpdateRoleRequest, aA as UpdateSourceRequest, j as UpdateTenantRequest, ax as UpdateVendorRequest, q as UploadAssetRequest, a6 as UserGroupAssignment, ac as UserPermissionOverride, G as UserPermissions, U as UserProfile, a5 as UserRoleAssignment, av as Vendor, ar as WebhookDelivery, ao as WebhookEndpoint, as as WebhookTestResult } from './types-DZAflmmq.js';
|
|
9
|
+
export { IQAuthWebhookEvent, VerifyWebhookOptions, WebhookSignatureError, isValidWebhookSignature, verifyWebhookSignature } from './webhooks.js';
|
|
10
|
+
export { P as ProvisioningBridge, a as ProvisioningBridgeOptions, d as ProvisioningContext, b as ProvisioningStorage, c as createProvisioningBridge } from './provisioningBridge-DnTfzdZK.js';
|