@iqauth/sdk 2.2.0 → 2.5.0

package/dist/next.mjs

@@ -3,13 +3,13 @@ import {
   handleRefresh,
   handleSignout,
   serializeCookie
-} from "./chunk-M4J6BPK7.mjs";
+} from "./chunk-6TDJJER7.mjs";
 import {
   assertPublishableKey
-} from "./chunk-QEJB7WEQ.mjs";
+} from "./chunk-WQWBJSSS.mjs";
 import {
-  IQAuthClient
-} from "./chunk-MDUHPQMM.mjs";
+  TokensModule
+} from "./chunk-UNYDG2L4.mjs";
 import "./chunk-6I6RM4MN.mjs";
 import "./chunk-Y6FXYEAI.mjs";
 
@@ -59,7 +59,7 @@ function handler(options) {
     if (action === "signout") {
       const auth = req.headers.get("authorization");
       const accessToken = auth && auth.replace(/^Bearer /i, "") || readCookieFromHeader(cookieHeader, accessCookie);
-      return toResponse(await handleSignout(helperConfig, { accessToken }));
+      return toResponse(await handleSignout(helperConfig, { accessToken, ssoCookieHeader: cookieHeader ?? void 0 }));
     }
     return new Response(JSON.stringify({ success: false, error: { code: "NOT_FOUND", message: `Unknown action: ${action}` } }), {
       status: 404,
@@ -71,7 +71,7 @@ function createMiddleware(options) {
   const parsed = assertPublishableKey(options.publishableKey, { context: "@iqauth/sdk/next createMiddleware" });
   const issuer = (options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
   const accessCookie = options.accessCookieName ?? "iqauth_at";
-  const client = new IQAuthClient({ baseUrl: issuer, environment: "server" });
+  const tokens = new TokensModule(issuer);
   return async (req) => {
     const auth = req.headers.get("authorization");
     let token;
@@ -84,7 +84,7 @@ function createMiddleware(options) {
       });
     }
     try {
-      await client.tokens.verify(token);
+      await tokens.verify(token);
       return void 0;
     } catch (err) {
       const code = err.code || "TOKEN_INVALID";
@@ -113,9 +113,9 @@ async function getAuth(options) {
   }
   const token = cookieJar?.get(accessCookie)?.value;
   if (!token) return null;
-  const client = new IQAuthClient({ baseUrl: issuer, environment: "server" });
+  const tokens = new TokensModule(issuer);
   try {
-    return await client.tokens.verify(token);
+    return await tokens.verify(token);
   } catch {
     return null;
   }

package/dist/provisioningBridge-88xjOS2n.d.mts

@@ -0,0 +1,86 @@
+import { J as JwtClaims } from './types-DZAflmmq.mjs';
+
+/**
+ * createProvisioningBridge — server-side helper that lifts the
+ * "provision-on-first-login" pattern out of every downstream app.
+ *
+ * Pattern (extracted from IQValidate's iqauth-provision.ts):
+ *   1. On every authenticated request, look up the local user record by
+ *      `iqauthUserId` (the `sub` claim from the JWT).
+ *   2. If not found, fall back to lookup by `email` and adopt the row by
+ *      writing the iqauthUserId — handles users that existed locally before
+ *      IQAuth was integrated.
+ *   3. If still not found, INSERT a new local user row from the JWT claims.
+ *      Race-safe: if a concurrent request already inserted the row
+ *      (Postgres unique-violation 23505 / SQLite SQLITE_CONSTRAINT), retry
+ *      the lookup once.
+ *   4. Optionally apply a `roleMapper(claims)` to map IQAuth roles into the
+ *      local app's role enum on insert/update.
+ *
+ * The factory is db-engine and ORM-agnostic — pass adapters that read/write
+ * your local user table. See the JSDoc on each adapter for the contract.
+ */
+
+interface ProvisioningContext<TUser> {
+    claims: JwtClaims;
+    /** The local user record, looked up or freshly inserted. */
+    user: TUser;
+    /** True if `user` was just created by this request. */
+    created: boolean;
+    /** True if `user` existed locally and was adopted by writing iqauthUserId. */
+    adopted: boolean;
+}
+interface ProvisioningStorage<TUser> {
+    /** Find local user by IQAuth `sub` claim. Returns `null` when not found. */
+    findByIqAuthUserId(iqauthUserId: string): Promise<TUser | null>;
+    /** Find local user by email (case-insensitive recommended). */
+    findByEmail(email: string): Promise<TUser | null>;
+    /**
+     * Insert a fresh user row from the JWT claims. The implementation should
+     * set the local `iqauthUserId` column to `claims.sub` and copy email/name.
+     * If a unique-constraint violation fires (concurrent insert), throw the
+     * error — the bridge catches it and retries the read. Common Postgres
+     * error code is `23505`; SQLite uses `SQLITE_CONSTRAINT_UNIQUE`.
+     */
+    insertFromClaims(claims: JwtClaims, mappedRole?: string | null): Promise<TUser>;
+    /**
+     * Adopt a pre-existing local row (matched by email) by writing the
+     * iqauthUserId. Returns the updated user. Optional — when omitted, the
+     * bridge falls through to insertFromClaims.
+     */
+    adoptByEmail?: (existing: TUser, claims: JwtClaims, mappedRole?: string | null) => Promise<TUser>;
+}
+interface ProvisioningBridgeOptions<TUser> {
+    storage: ProvisioningStorage<TUser>;
+    /** Map IQAuth role strings into the local app's role on insert/adopt. */
+    roleMapper?: (claims: JwtClaims) => string | null | undefined;
+    /**
+     * Heuristic that classifies a thrown DB error as a unique-constraint race.
+     * Defaults to checking for Postgres `23505` and SQLite `SQLITE_CONSTRAINT_UNIQUE`.
+     */
+    isUniqueViolation?: (err: unknown) => boolean;
+}
+interface ProvisioningBridge<TUser> {
+    /**
+     * Resolve (or provision) the local user that corresponds to a verified
+     * IQAuth JWT. Idempotent and race-safe.
+     */
+    ensureUser(claims: JwtClaims): Promise<ProvisioningContext<TUser>>;
+}
+/**
+ * Build a provisioning bridge. Returns an `ensureUser(claims)` function that
+ * handles lookup → adopt → insert → race-retry. Apps typically wrap this in
+ * Express middleware:
+ *
+ *   const bridge = createProvisioningBridge({ storage, roleMapper });
+ *   app.use(iqAuth({ ... }));
+ *   app.use(async (req, _res, next) => {
+ *     if (!req.auth) return next();
+ *     const ctx = await bridge.ensureUser(req.auth);
+ *     (req as any).localUser = ctx.user;
+ *     next();
+ *   });
+ */
+declare function createProvisioningBridge<TUser>(options: ProvisioningBridgeOptions<TUser>): ProvisioningBridge<TUser>;
+
+export { type ProvisioningBridge as P, type ProvisioningBridgeOptions as a, type ProvisioningStorage as b, createProvisioningBridge as c, type ProvisioningContext as d };

package/dist/provisioningBridge-DnTfzdZK.d.ts

@@ -0,0 +1,86 @@
+import { J as JwtClaims } from './types-DZAflmmq.js';
+
+/**
+ * createProvisioningBridge — server-side helper that lifts the
+ * "provision-on-first-login" pattern out of every downstream app.
+ *
+ * Pattern (extracted from IQValidate's iqauth-provision.ts):
+ *   1. On every authenticated request, look up the local user record by
+ *      `iqauthUserId` (the `sub` claim from the JWT).
+ *   2. If not found, fall back to lookup by `email` and adopt the row by
+ *      writing the iqauthUserId — handles users that existed locally before
+ *      IQAuth was integrated.
+ *   3. If still not found, INSERT a new local user row from the JWT claims.
+ *      Race-safe: if a concurrent request already inserted the row
+ *      (Postgres unique-violation 23505 / SQLite SQLITE_CONSTRAINT), retry
+ *      the lookup once.
+ *   4. Optionally apply a `roleMapper(claims)` to map IQAuth roles into the
+ *      local app's role enum on insert/update.
+ *
+ * The factory is db-engine and ORM-agnostic — pass adapters that read/write
+ * your local user table. See the JSDoc on each adapter for the contract.
+ */
+
+interface ProvisioningContext<TUser> {
+    claims: JwtClaims;
+    /** The local user record, looked up or freshly inserted. */
+    user: TUser;
+    /** True if `user` was just created by this request. */
+    created: boolean;
+    /** True if `user` existed locally and was adopted by writing iqauthUserId. */
+    adopted: boolean;
+}
+interface ProvisioningStorage<TUser> {
+    /** Find local user by IQAuth `sub` claim. Returns `null` when not found. */
+    findByIqAuthUserId(iqauthUserId: string): Promise<TUser | null>;
+    /** Find local user by email (case-insensitive recommended). */
+    findByEmail(email: string): Promise<TUser | null>;
+    /**
+     * Insert a fresh user row from the JWT claims. The implementation should
+     * set the local `iqauthUserId` column to `claims.sub` and copy email/name.
+     * If a unique-constraint violation fires (concurrent insert), throw the
+     * error — the bridge catches it and retries the read. Common Postgres
+     * error code is `23505`; SQLite uses `SQLITE_CONSTRAINT_UNIQUE`.
+     */
+    insertFromClaims(claims: JwtClaims, mappedRole?: string | null): Promise<TUser>;
+    /**
+     * Adopt a pre-existing local row (matched by email) by writing the
+     * iqauthUserId. Returns the updated user. Optional — when omitted, the
+     * bridge falls through to insertFromClaims.
+     */
+    adoptByEmail?: (existing: TUser, claims: JwtClaims, mappedRole?: string | null) => Promise<TUser>;
+}
+interface ProvisioningBridgeOptions<TUser> {
+    storage: ProvisioningStorage<TUser>;
+    /** Map IQAuth role strings into the local app's role on insert/adopt. */
+    roleMapper?: (claims: JwtClaims) => string | null | undefined;
+    /**
+     * Heuristic that classifies a thrown DB error as a unique-constraint race.
+     * Defaults to checking for Postgres `23505` and SQLite `SQLITE_CONSTRAINT_UNIQUE`.
+     */
+    isUniqueViolation?: (err: unknown) => boolean;
+}
+interface ProvisioningBridge<TUser> {
+    /**
+     * Resolve (or provision) the local user that corresponds to a verified
+     * IQAuth JWT. Idempotent and race-safe.
+     */
+    ensureUser(claims: JwtClaims): Promise<ProvisioningContext<TUser>>;
+}
+/**
+ * Build a provisioning bridge. Returns an `ensureUser(claims)` function that
+ * handles lookup → adopt → insert → race-retry. Apps typically wrap this in
+ * Express middleware:
+ *
+ *   const bridge = createProvisioningBridge({ storage, roleMapper });
+ *   app.use(iqAuth({ ... }));
+ *   app.use(async (req, _res, next) => {
+ *     if (!req.auth) return next();
+ *     const ctx = await bridge.ensureUser(req.auth);
+ *     (req as any).localUser = ctx.user;
+ *     next();
+ *   });
+ */
+declare function createProvisioningBridge<TUser>(options: ProvisioningBridgeOptions<TUser>): ProvisioningBridge<TUser>;
+
+export { type ProvisioningBridge as P, type ProvisioningBridgeOptions as a, type ProvisioningStorage as b, createProvisioningBridge as c, type ProvisioningContext as d };