@iqauth/sdk 2.2.0 → 2.5.0

package/dist/service.js

@@ -446,8 +446,7 @@ function parseMfaResponse(data, browserSessionMode) {
 }
 
 // src/modules/tokens.ts
-var import_crypto = __toESM(require("crypto"));
-var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
+var import_jose = require("jose");
 var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
 var DEFAULT_TOKEN_ISSUER = [
   "https://auth.dispositioniq.com",
@@ -460,6 +459,24 @@ var DEFAULT_TOKEN_AUDIENCE = [
   "iqvalidate"
 ];
 var DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
+function decodeProtectedHeader(token) {
+  const parts = token.split(".");
+  if (parts.length < 2) return null;
+  try {
+    const padded = parts[0] + "=".repeat((4 - parts[0].length % 4) % 4);
+    const b64 = padded.replace(/-/g, "+").replace(/_/g, "/");
+    let json;
+    if (typeof atob === "function") {
+      json = atob(b64);
+    } else {
+      const { Buffer: Buffer2 } = require("buffer");
+      json = Buffer2.from(b64, "base64").toString("utf8");
+    }
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
 var TokensModule = class {
   constructor(baseUrl, options = {}) {
     this.jwksCache = null;
@@ -470,49 +487,49 @@ var TokensModule = class {
     this.defaultClockTolerance = options.clockTolerance ?? DEFAULT_CLOCK_TOLERANCE_SECONDS;
   }
   /**
-   * Verify a JWT access token using RS256 via JWKS from /.well-known/jwks.json.
-   * Caches JWKS keys for 1 hour. Retries once on unknown `kid`.
-   *
-   * @remarks Validates against /.well-known/jwks.json. Issuer, audience, and
-   * clock tolerance default to client config but can be overridden per call.
+   * Verify a JWT access token using RS256/ES256 via JWKS from
+   * `/.well-known/jwks.json`. Backed by `jose` (Web Crypto) so it runs on
+   * Node, browser, and edge runtimes alike — no `node:crypto` dependency.
+   * Caches JWKS for 1 hour and refetches once on unknown `kid`.
    */
   async verify(token, options = {}) {
-    const decoded = import_jsonwebtoken.default.decode(token, { complete: true });
-    if (!decoded || typeof decoded === "string") {
+    const header = decodeProtectedHeader(token);
+    if (!header) {
       throw new IQAuthError("TOKEN_INVALID", "Unable to decode token");
     }
-    const kid = decoded.header.kid;
+    const kid = header.kid;
     if (!kid) {
       throw new IQAuthError("TOKEN_INVALID", "Token missing kid header");
     }
-    let publicKey = await this.getPublicKey(kid);
-    if (!publicKey) {
-      await this.refreshJwks();
-      publicKey = await this.getPublicKey(kid);
+    let cache = await this.ensureCache();
+    if (!cache.byKid.has(kid)) {
+      this.jwksCache = null;
+      cache = await this.ensureCache();
     }
-    if (!publicKey) {
+    if (!cache.byKid.has(kid)) {
       throw new IQAuthError("TOKEN_INVALID", `Unknown key ID: ${kid}`);
     }
     const issuer = options.issuer ?? this.defaultIssuer;
     const audience = options.audience ?? this.defaultAudience;
     const clockTolerance = options.clockTolerance ?? this.defaultClockTolerance;
-    const algorithms = options.algorithms ?? ["RS256"];
+    const algorithms = options.algorithms ?? ["RS256", "ES256"];
+    const verifyOptions = {
+      algorithms,
+      clockTolerance,
+      issuer,
+      audience
+    };
     try {
-      const verifyOptions = {
-        algorithms,
-        clockTolerance,
-        // The jsonwebtoken types insist on tuple types for arrays; runtime
-        // accepts plain string[] so we cast to satisfy the compiler.
-        issuer,
-        audience
-      };
-      const verified = import_jsonwebtoken.default.verify(token, publicKey, verifyOptions);
-      return verified;
+      const { payload } = await (0, import_jose.jwtVerify)(token, cache.verifier, verifyOptions);
+      return payload;
     } catch (err) {
+      if (err instanceof import_jose.errors.JWTExpired) {
+        throw new IQAuthError("TOKEN_EXPIRED", "Token has expired");
+      }
+      if (err instanceof import_jose.errors.JOSEError) {
+        throw new IQAuthError("TOKEN_INVALID", err.message);
+      }
       if (err instanceof Error) {
-        if (err.name === "TokenExpiredError") {
-          throw new IQAuthError("TOKEN_EXPIRED", "Token has expired");
-        }
         throw new IQAuthError("TOKEN_INVALID", err.message);
       }
       throw new IQAuthError("TOKEN_INVALID", "Token verification failed");
@@ -520,29 +537,40 @@ var TokensModule = class {
   }
   /**
    * Decode a JWT without verification. Returns null if malformed.
-   *
-   * @remarks Local decode only — no network call
    */
   decode(token) {
-    const decoded = import_jsonwebtoken.default.decode(token);
-    return decoded;
+    try {
+      const parts = token.split(".");
+      if (parts.length < 2) return null;
+      const payload = parts[1];
+      const padded = payload + "=".repeat((4 - payload.length % 4) % 4);
+      const b64 = padded.replace(/-/g, "+").replace(/_/g, "/");
+      let json;
+      if (typeof atob === "function") {
+        json = atob(b64);
+      } else {
+        const { Buffer: Buffer2 } = require("buffer");
+        json = Buffer2.from(b64, "base64").toString("utf8");
+      }
+      try {
+        json = decodeURIComponent(escape(json));
+      } catch {
+      }
+      const claims = JSON.parse(json);
+      if (!claims || typeof claims !== "object") return null;
+      return claims;
+    } catch {
+      return null;
+    }
   }
-  /**
-   * Check if a token is expired based on the `exp` claim.
-   *
-   * @remarks Local check only — no network call
-   */
+  /** Check if a token is expired based on the `exp` claim. */
   isExpired(token) {
     const claims = this.decode(token);
     if (!claims?.exp) return true;
     const now = Math.floor(Date.now() / 1e3);
     return claims.exp <= now;
   }
-  /**
-   * Get the claims from a token without verification.
-   *
-   * @remarks Local decode only — no network call
-   */
+  /** Get the claims from a token without verification. */
   getClaims(token) {
     const claims = this.decode(token);
     if (!claims) {
@@ -550,11 +578,15 @@ var TokensModule = class {
     }
     return claims;
   }
-  async getPublicKey(kid) {
-    if (!this.jwksCache || Date.now() - this.jwksCache.fetchedAt > JWKS_CACHE_TTL_MS) {
-      await this.refreshJwks();
+  async ensureCache() {
+    if (this.jwksCache && Date.now() - this.jwksCache.fetchedAt <= JWKS_CACHE_TTL_MS) {
+      return this.jwksCache;
+    }
+    await this.refreshJwks();
+    if (!this.jwksCache) {
+      throw new IQAuthError("INTERNAL_ERROR", "JWKS cache unavailable after refresh");
     }
-    return this.jwksCache?.keys.get(kid) ?? null;
+    return this.jwksCache;
   }
   async refreshJwks() {
     if (this.inFlightRefresh) {
@@ -581,35 +613,24 @@ var TokensModule = class {
             "Malformed JWKS response: expected { keys: [...] }"
           );
         }
-        const keys = /* @__PURE__ */ new Map();
+        const byKid = /* @__PURE__ */ new Set();
         for (const key of jwks.keys) {
-          if (!key || typeof key.kid !== "string" || typeof key.n !== "string" || typeof key.e !== "string") {
+          if (!key || typeof key.kid !== "string" || typeof key.n !== "string" && typeof key.x !== "string" || key.kty === "RSA" && (typeof key.n !== "string" || typeof key.e !== "string")) {
             throw new IQAuthError(
               "INTERNAL_ERROR",
               "Malformed JWKS response: key missing required fields"
             );
           }
-          const pem = this.jwkToPem(key);
-          keys.set(key.kid, pem);
+          byKid.add(key.kid);
         }
-        this.jwksCache = { keys, fetchedAt: Date.now() };
+        const verifier = (0, import_jose.createLocalJWKSet)({ keys: jwks.keys });
+        this.jwksCache = { raw: jwks.keys, byKid, verifier, fetchedAt: Date.now() };
       } finally {
         this.inFlightRefresh = null;
       }
     })();
     return this.inFlightRefresh;
   }
-  jwkToPem(jwk) {
-    const keyObject = import_crypto.default.createPublicKey({
-      key: {
-        kty: jwk.kty,
-        n: jwk.n,
-        e: jwk.e
-      },
-      format: "jwk"
-    });
-    return keyObject.export({ type: "spki", format: "pem" });
-  }
   /** @internal Exposed for testing — clears JWKS cache */
   clearCache() {
     this.jwksCache = null;
@@ -817,7 +838,7 @@ var PermissionsModule = class {
 };
 
 // src/modules/oidc.ts
-var import_crypto2 = __toESM(require("crypto"));
+var import_crypto = __toESM(require("crypto"));
 var InMemoryOidcStateStore = class {
   constructor() {
     this.map = /* @__PURE__ */ new Map();
@@ -898,12 +919,12 @@ var OidcModule = class {
    * ready to redirect the user to.
    */
   async createAuthRequest(params) {
-    const codeVerifier = base64UrlEncode(import_crypto2.default.randomBytes(32));
+    const codeVerifier = base64UrlEncode(import_crypto.default.randomBytes(32));
     const codeChallenge = base64UrlEncode(
-      import_crypto2.default.createHash("sha256").update(codeVerifier).digest()
+      import_crypto.default.createHash("sha256").update(codeVerifier).digest()
     );
-    const state = base64UrlEncode(import_crypto2.default.randomBytes(16));
-    const nonce = base64UrlEncode(import_crypto2.default.randomBytes(16));
+    const state = base64UrlEncode(import_crypto.default.randomBytes(16));
+    const nonce = base64UrlEncode(import_crypto.default.randomBytes(16));
     await this.stateStore.set(state, {
       codeVerifier,
       state,

package/dist/service.mjs

@@ -1,6 +1,7 @@
 import {
   IQAuthClient
-} from "./chunk-MDUHPQMM.mjs";
+} from "./chunk-W3F4JYGP.mjs";
+import "./chunk-UNYDG2L4.mjs";
 import {
   ErrorCodes,
   IQAuthError

package/dist/signIn-CCY4JE5G.mjs

@@ -0,0 +1,15 @@
+import {
+  buildSignInUrl,
+  handleAuthCallback,
+  redirectToSignIn,
+  signIn,
+  signOut
+} from "./chunk-TKZTCPEK.mjs";
+import "./chunk-Y6FXYEAI.mjs";
+export {
+  buildSignInUrl,
+  handleAuthCallback,
+  redirectToSignIn,
+  signIn,
+  signOut
+};

package/dist/{signIn-D_kP3v-c.d.mts → signIn-CiIBTJIh.d.mts}

@@ -1,5 +1,5 @@
 import { c as ParsedPublishableKey } from './publishableKey-BaR0HoAH.mjs';
-import { d as SessionUser, J as JwtClaims } from './types-Cxl3bQHt.mjs';
+import { J as JwtClaims, d as SessionUser } from './types-DZAflmmq.mjs';
 
 /**
  * SessionManager — core browser-side session state.
@@ -28,9 +28,17 @@ type SessionStatus = "loading" | "authenticated" | "unauthenticated";
  * first-party cookie — convenient for browser-only apps but not as resistant
  * to XSS exfiltration.
  */
+/**
+ * Optional context handed to `RefreshTokenStore.write`. Multi-account stores
+ * use it to route the token to the correct per-account cookie when no
+ * "active" account is set yet (i.e. immediately after `addAccount()`).
+ */
+interface RefreshTokenWriteContext {
+    claims?: JwtClaims | null;
+}
 interface RefreshTokenStore {
     read(): string | null | Promise<string | null>;
-    write(token: string): void | Promise<void>;
+    write(token: string, ctx?: RefreshTokenWriteContext): void | Promise<void>;
     clear(): void | Promise<void>;
 }
 interface SessionSnapshot {
@@ -101,6 +109,17 @@ interface SessionManagerOptions {
      * Defaults to `false` to preserve pre-2.0.3 behavior.
      */
     serverManagedSession?: boolean;
+    /**
+     * F14 — Override the names of the cookies the SDK reads/writes. Useful when
+     * a host app already uses `iqauth_rt`/`iqauth_at` for an unrelated purpose
+     * or wants to prefix all SDK cookies. Only the `refresh` cookie is written
+     * by the browser SDK directly; `access` is for parity with the backend
+     * helpers/middleware which read it via the same umbrella option.
+     */
+    cookieNames?: {
+        refresh?: string;
+        access?: string;
+    };
 }
 declare class SessionManager {
     private snapshot;
@@ -115,9 +134,10 @@ declare class SessionManager {
     private readonly userinfoPath;
     private readonly useCookies;
     private readonly proactiveRefresh;
-    private readonly tokenStore;
+    private tokenStore;
     private readonly crossTabLockTimeoutMs;
     private readonly serverManagedSession;
+    private readonly refreshCookieName;
     private proactiveTimer;
     private bootstrapped;
     /** Pending refresh awaited by other tabs after a `refresh:claim` from us. */
@@ -129,6 +149,8 @@ declare class SessionManager {
     get appKey(): string;
     get tenantIdFromKey(): string;
     get issuerUrl(): string;
+    /** Cookie name the SDK uses for the refresh token (overridable via `cookieNames.refresh`). */
+    get refreshCookie(): string;
     getSnapshot(): SessionSnapshot;
     subscribe(listener: (s: SessionSnapshot) => void): () => void;
     /**
@@ -175,6 +197,12 @@ declare class SessionManager {
      * the server-side logout request.
      */
     signOutLocal(status?: SessionStatus): void;
+    /**
+     * Replace the refresh-token store at runtime. Used by the F22
+     * `<MultisessionAppSupport>` wrapper to swap in a `MultiAccountTokenStore`
+     * after the manager has already been constructed by `<IQAuthProvider>`.
+     */
+    setTokenStore(store: RefreshTokenStore): void;
     destroy(): void;
     private setStatus;
     private setError;
@@ -186,6 +214,180 @@ declare class SessionManager {
     private onBroadcast;
 }
 
+/**
+ * Passwordless helpers (Task #91 / F24/F25/F31). Browser-only — these wrap
+ * the issuer's `/api/v1/auth/{magic-link,passkeys,identities}` routes so
+ * non-React consumers (vanilla JS, Vue, Svelte) can integrate without
+ * pulling in framework code. React consumers should prefer the hooks
+ * exported from `@iqauth/sdk/react`.
+ *
+ * All calls use `credentials: "include"` so the issuer can promote the
+ * minted session to httpOnly cookies (`iqauth_at` / `iqauth_rt`) when
+ * the caller forwards the `x-iqauth-session: cookie` header.
+ *
+ * `iqAuthBaseUrl` is the issuer URL (e.g. https://auth.example.com); it
+ * must NOT end with a slash.
+ */
+type PasswordlessOptions = {
+    iqAuthBaseUrl: string;
+    /** When true (default), tells the issuer to set httpOnly cookies on success. */
+    cookieSession?: boolean;
+};
+type MagicLinkRequestInput = {
+    email: string;
+    /** App identifier — accepts the app id, key, or omitted for global links. */
+    appId?: string;
+    redirectUri: string;
+};
+declare function requestMagicLink(opts: PasswordlessOptions, input: MagicLinkRequestInput): Promise<{
+    ok: true;
+}>;
+declare function verifyMagicLink(opts: PasswordlessOptions, token: string): Promise<{
+    accessToken?: string;
+    user?: unknown;
+    redirectUri?: string;
+}>;
+type PasskeyAuthInput = {
+    email?: string;
+};
+declare function beginPasskeyAuthentication(opts: PasswordlessOptions, input?: PasskeyAuthInput): Promise<unknown>;
+declare function finishPasskeyAuthentication(opts: PasswordlessOptions, response: unknown): Promise<unknown>;
+declare function beginPasskeyRegistration(opts: PasswordlessOptions): Promise<unknown>;
+declare function finishPasskeyRegistration(opts: PasswordlessOptions, response: unknown, name?: string): Promise<unknown>;
+/**
+ * End-to-end passkey sign-in convenience. Loads `@simplewebauthn/browser` on
+ * demand (peer dependency) so callers that never use passkeys don't pay the
+ * bundle cost.
+ */
+declare function signInWithPasskey(opts: PasswordlessOptions, input?: PasskeyAuthInput): Promise<unknown>;
+declare function enrollPasskey(opts: PasswordlessOptions, name?: string): Promise<unknown>;
+type LinkedIdentity = {
+    id: string;
+    provider: string;
+    providerUserId: string | null;
+    linkedAt: string;
+    label?: string | null;
+    name?: string | null;
+    canUnlink: boolean;
+};
+declare function listLinkedIdentities(opts: PasswordlessOptions): Promise<LinkedIdentity[]>;
+type LinkProviderInput = {
+    provider: "google";
+    idToken: string;
+    reauth: {
+        password?: string;
+    };
+} | {
+    provider: string;
+    opaque: {
+        providerUserId: string;
+        verifiedBy: string;
+    };
+    reauth: {
+        password?: string;
+    };
+};
+declare function linkProvider(opts: PasswordlessOptions, input: LinkProviderInput): Promise<{
+    ok: true;
+}>;
+type UnlinkProviderInput = {
+    provider: string;
+    reauth: {
+        password?: string;
+    };
+};
+declare function unlinkProvider(opts: PasswordlessOptions, input: UnlinkProviderInput): Promise<{
+    ok: true;
+}>;
+
+/**
+ * Browser-only storage helpers used by the SessionManager.
+ *
+ * Storage strategy (Phase B):
+ *   - Access token: in memory only (held by SessionManager).
+ *   - Refresh token: first-party cookie on the app's own domain. The cookie
+ *     is set by the SDK callback handler and cleared on signOut.
+ *
+ * NOTE: Cookies set from JS cannot be httpOnly. Phase D (cookie-aware
+ * middleware) will move refresh-token cookie management into the app's
+ * backend so it can be httpOnly. Until then, the SDK uses a `Secure`,
+ * `SameSite=Lax` first-party cookie as a pragmatic stopgap. Nothing
+ * privileged ever lives in localStorage.
+ */
+declare const REFRESH_COOKIE = "iqauth_rt";
+interface CookieOptions {
+    maxAgeSeconds?: number;
+    path?: string;
+    domain?: string;
+    secure?: boolean;
+    sameSite?: "lax" | "strict" | "none";
+}
+declare function setCookie(name: string, value: string, opts?: CookieOptions): void;
+declare function getCookie(name: string): string | null;
+declare function clearCookie(name: string, opts?: CookieOptions): void;
+
+/**
+ * F22 — Multi-account registry.
+ *
+ * Persists the set of accounts currently signed in to a given app (keyed by
+ * the app's publishableKey appId) plus which one is "active". Each account
+ * stores a single per-account refresh cookie named `iqauth_rt_<accountId>`
+ * (where `accountId` is the user's `sub` claim), so SessionManager can
+ * pivot to any account by reading a different cookie + calling refresh().
+ *
+ * NOTE: We deliberately do NOT store refresh tokens in localStorage — they
+ * stay in cookies (same security posture as the single-account default).
+ * localStorage holds only public profile data + ordering metadata.
+ */
+
+interface AccountRecord {
+    accountId: string;
+    userId: string;
+    email: string;
+    name: string;
+    tenantId: string | null;
+    addedAt: number;
+}
+declare class AccountRegistry {
+    private readonly appId;
+    private listeners;
+    private storageHandler;
+    constructor(appId: string);
+    destroy(): void;
+    list(): AccountRecord[];
+    active(): string | null;
+    get(accountId: string): AccountRecord | null;
+    upsert(rec: AccountRecord): void;
+    setActive(accountId: string | null): void;
+    remove(accountId: string): void;
+    subscribe(listener: () => void): () => void;
+    /**
+     * Read the refresh token for a specific account from its per-account
+     * cookie. Used by `MultiAccountTokenStore.read()`.
+     */
+    readRefreshToken(accountId: string): string | null;
+    /**
+     * Persist a refresh token to the per-account cookie. Caller is the
+     * SessionManager via `MultiAccountTokenStore.write()`.
+     */
+    writeRefreshToken(accountId: string, token: string, opts?: CookieOptions): void;
+    clearRefreshToken(accountId: string): void;
+    private notify;
+}
+/**
+ * RefreshTokenStore that reads/writes the active account's per-account
+ * cookie. Falls back to a configurable single-account store when no active
+ * account is set (e.g. before the first sign-in completes).
+ */
+declare class MultiAccountTokenStore implements RefreshTokenStore {
+    private readonly registry;
+    private readonly fallback;
+    constructor(registry: AccountRegistry, fallback: RefreshTokenStore);
+    read(): string | null | Promise<string | null>;
+    write(token: string, ctx?: RefreshTokenWriteContext): void | Promise<void>;
+    clear(): void | Promise<void>;
+}
+
 /**
  * Sign-in / sign-out / callback helpers that build on top of the
  * SessionManager. These are usable both from React (via the hook helpers in
@@ -208,6 +410,20 @@ interface SignInOptions {
     redirectUri?: string;
     /** Extra OIDC scopes beyond `openid` to request. */
     scope?: string;
+    /**
+     * F14 — Override SDK cookie names. `refresh` controls where the JS
+     * fallback writes the refresh token after the callback exchange.
+     */
+    cookieNames?: {
+        refresh?: string;
+    };
+    /**
+     * OIDC `prompt` parameter. `"login"` forces the IQAuth host to show the
+     * sign-in form even if a single-sign-on session already exists — used by
+     * the multi-account `addAccount()` helper to add a second account in
+     * parallel rather than re-using the active session.
+     */
+    prompt?: "login" | "none" | "consent" | "select_account";
 }
 interface SignOutOptions {
     /** Where to send the user after sign out. Defaults to the current page. */
@@ -216,6 +432,14 @@ interface SignOutOptions {
     logoutPath?: string;
     /** Skip the network call to IQAuth and just clear the local session. */
     localOnly?: boolean;
+    /**
+     * Also clear the IQAuth single-sign-on session (the `iq_sso` cookie on the
+     * issuer host). When `true` (the default), the next visit to `/sign-in`
+     * will show the login form instead of silently resuming the prior session.
+     * Set to `false` to preserve SSO across other apps in the same IQAuth
+     * tenant (e.g. log out of one app but stay signed in to others).
+     */
+    endSsoSession?: boolean;
 }
 interface CallbackResult {
     ok: boolean;
@@ -250,6 +474,10 @@ declare function handleAuthCallback(manager: SessionManager, options?: {
     url?: string;
     tokenPath?: string;
     fetchImpl?: typeof fetch;
+    /** F14 — refresh-cookie name override (defaults to `manager.refreshCookie`). */
+    cookieNames?: {
+        refresh?: string;
+    };
 }): Promise<CallbackResult>;
 /**
  * Clear the local session, ask IQAuth to revoke the refresh token, and
@@ -257,4 +485,4 @@ declare function handleAuthCallback(manager: SessionManager, options?: {
  */
 declare function signOut(manager: SessionManager, opts?: SignOutOptions): Promise<void>;
 
-export { type CallbackResult as C, SessionManager as S, type SessionSnapshot as a, type SignInOptions as b, type SignOutOptions as c, type SessionManagerOptions as d, type SessionStatus as e, buildSignInUrl as f, signOut as g, handleAuthCallback as h, redirectToSignIn as r, signIn as s };
+export { AccountRegistry as A, clearCookie as B, type CallbackResult as C, getCookie as D, setCookie as E, type LinkedIdentity as L, type MagicLinkRequestInput as M, type PasswordlessOptions as P, type RefreshTokenStore as R, SessionManager as S, type UnlinkProviderInput as U, type SessionManagerOptions as a, type SessionSnapshot as b, type SessionStatus as c, beginPasskeyAuthentication as d, beginPasskeyRegistration as e, finishPasskeyAuthentication as f, finishPasskeyRegistration as g, enrollPasskey as h, linkProvider as i, type PasskeyAuthInput as j, type LinkProviderInput as k, listLinkedIdentities as l, MultiAccountTokenStore as m, type AccountRecord as n, buildSignInUrl as o, handleAuthCallback as p, redirectToSignIn as q, requestMagicLink as r, signInWithPasskey as s, signIn as t, unlinkProvider as u, verifyMagicLink as v, signOut as w, type SignInOptions as x, type SignOutOptions as y, REFRESH_COOKIE as z };