@iqauth/sdk 2.2.0 → 2.5.0

package/dist/{express-B4o3P8vK.d.ts → express-CHpfa7D_.d.ts}

@@ -1,5 +1,5 @@
-import { I as IQAuthClient } from './client-DXbHb2ul.js';
-import { J as JwtClaims, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.js';
+import { I as IQAuthClient } from './client-BNQe3AgF.js';
+import { J as JwtClaims, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-DZAflmmq.js';
 
 /**
  * SOURCE REFS:
@@ -34,6 +34,27 @@ interface CookieAwareMiddlewareOptions extends ExpressMiddlewareOptions {
      * configured access cookie. When false, only the bearer header is checked.
      */
     cookieAware?: boolean;
+    /**
+     * F14 — Umbrella shorthand for `accessCookieName` / `refreshCookieName`.
+     * When both forms are supplied the individual fields win for back-compat.
+     */
+    cookieNames?: {
+        access?: string;
+        refresh?: string;
+    };
+    /**
+     * F33 — Declarative protect/public route configuration. When `protect` is
+     * given, only requests whose path matches one of the patterns are
+     * verified; everything else is allowed through (`req.auth` left unset).
+     * When `publicRoutes` is given, those paths are always allowed through
+     * even if `protect` would have matched. Each entry is either a glob-like
+     * string (`*` = single segment, `**` = any path remainder) or a `RegExp`.
+     *
+     * If neither is given, the middleware behaves as before — every request
+     * goes through the verifier.
+     */
+    protect?: Array<string | RegExp>;
+    publicRoutes?: Array<string | RegExp>;
 }
 /**
  * Express middleware that verifies access tokens via the SDK's token verifier.

package/dist/express.d.mts

@@ -1,10 +1,10 @@
-import { I as IQAuthClient } from './client-Dv4v92Mj.mjs';
-import { C as CookieAwareMiddlewareOptions } from './express-BZmF1llh.mjs';
-export { i as iqAuthMiddleware } from './express-BZmF1llh.mjs';
+import { I as IQAuthClient } from './client-kYlJFgPv.mjs';
+import { C as CookieAwareMiddlewareOptions } from './express-B6_1vBYZ.mjs';
+export { i as iqAuthMiddleware } from './express-B6_1vBYZ.mjs';
 import { IQAuthHelperConfig } from './server/handlers.mjs';
-import { Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.mjs';
+import { Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-DZAflmmq.mjs';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
-import 'jsonwebtoken';
+import './tokens-DCyzzn8L.mjs';
 
 /**
  * @iqauth/sdk/express — drop-in Express adapter.
@@ -22,18 +22,89 @@ import 'jsonwebtoken';
  *   app.use(iqAuth({ publishableKey: process.env.IQAUTH_PUBLISHABLE_KEY!, secretKey: process.env.IQAUTH_SECRET_KEY! }));
  */
 
+interface InlineCallbackBrandedRenderArgs {
+    /** Issuer URL the SDK will use to mint the authorization code (publishable key origin). */
+    issuer: string;
+    /** Path of the JSON exchange endpoint to POST to (e.g. `/api/iqauth/callback/exchange`). */
+    exchangePath: string;
+    /** The raw `?code=` value from the OAuth redirect (already escaped for HTML). */
+    code: string;
+    /** The raw `?state=` value from the OAuth redirect (already escaped for HTML). */
+    state: string;
+    /** If `errorPath` is configured on the inline-callback options, it's threaded
+     * here so a custom render function can reuse it for its own catch handler.
+     * `""` when unset. */
+    errorPath?: string;
+}
+interface InlineCallbackBrandedConfig {
+    /**
+     * Optional override for the spinner page HTML. Receives the issuer URL, the
+     * exchange endpoint path, and the (HTML-escaped) `code` + `state` from the
+     * OAuth redirect. Returns a full HTML document. When omitted, a minimal
+     * neutral spinner is rendered.
+     */
+    render?: (args: InlineCallbackBrandedRenderArgs) => string;
+}
+interface InlineCallbackConfig {
+    /**
+     * When truthy, mount a GET-method handler on the same path as the POST
+     * callback so the OAuth redirect lands on a server-rendered page (no
+     * blank-tab while waiting for client JS). When `false`, only `POST` is
+     * mounted (the browser SDK posts the code + verifier itself).
+     *
+     * - `inlineCallback: true` — GET exchanges the code synchronously
+     *   (PKCE verifier read from the `iqauth_pkce` first-party cookie set by
+     *   the browser SDK before redirect) and 302s to the final URL.
+     *
+     * - `inlineCallback: { branded: true }` — GET returns a small spinner HTML
+     *   document; the exchange happens via a sibling JSON endpoint at
+     *   `${callbackPath}/exchange`.
+     *
+     * - `inlineCallback: { branded: { render } }` — same as above but lets
+     *   you supply your own HTML (logo, copy, theme).
+     */
+    branded?: boolean | InlineCallbackBrandedConfig;
+    /**
+     * Where to redirect on a failed inline callback (state mismatch, missing
+     * code, code-exchange error from the issuer, etc). When omitted, the
+     * plain inline flow returns a JSON error body and the branded flow
+     * surfaces the failure via the spinner script's catch handler. When set,
+     * the GET handler 302s to this path with `?error=<code>` appended.
+     */
+    errorPath?: string;
+    /**
+     * Cookie name the browser SDK uses to publish the OAuth `state` value
+     * before redirect. Validated against the `?state=` query param on the
+     * return trip. Defaults to `iqauth_state`.
+     */
+    stateCookieName?: string;
+    /**
+     * Cookie name the browser SDK uses to publish the post-login destination
+     * before redirect. The inline GET handler reads it and 302s the user
+     * there after a successful exchange. Defaults to `iqauth_return_to`.
+     */
+    returnToCookieName?: string;
+}
 interface IQAuthExpressOptions extends IQAuthHelperConfig, CookieAwareMiddlewareOptions {
     /** Mount path prefix for the auto-mounted helper routes. */
     mountPath?: string;
     /** Set to false to skip mounting helper routes (verify-only mode). */
     mountHelperRoutes?: boolean;
+    /**
+     * Mount a GET handler on the callback path so the OAuth redirect lands
+     * on a server-rendered page. Off by default (browser SDK posts the code
+     * itself). See {@link InlineCallbackConfig}.
+     */
+    inlineCallback?: boolean | InlineCallbackConfig;
 }
 interface ExpressLikeApp {
     post(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
+    get?(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
     use?: (...args: unknown[]) => unknown;
 }
 interface ExpressLikeRouter {
     post(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
+    get?(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
 }
 declare function iqAuth(options: IQAuthExpressOptions): {
     (req: IQAuthRequestLike, res: IQAuthResponseLike, next: IQAuthNextFunction): unknown;
@@ -42,4 +113,4 @@ declare function iqAuth(options: IQAuthExpressOptions): {
     client: IQAuthClient;
 };
 
-export { CookieAwareMiddlewareOptions, type IQAuthExpressOptions, iqAuth };
+export { CookieAwareMiddlewareOptions, type IQAuthExpressOptions, type InlineCallbackBrandedConfig, type InlineCallbackBrandedRenderArgs, type InlineCallbackConfig, iqAuth };

package/dist/express.d.ts

@@ -1,10 +1,10 @@
-import { I as IQAuthClient } from './client-DXbHb2ul.js';
-import { C as CookieAwareMiddlewareOptions } from './express-B4o3P8vK.js';
-export { i as iqAuthMiddleware } from './express-B4o3P8vK.js';
+import { I as IQAuthClient } from './client-BNQe3AgF.js';
+import { C as CookieAwareMiddlewareOptions } from './express-CHpfa7D_.js';
+export { i as iqAuthMiddleware } from './express-CHpfa7D_.js';
 import { IQAuthHelperConfig } from './server/handlers.js';
-import { Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.js';
+import { Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-DZAflmmq.js';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
-import 'jsonwebtoken';
+import './tokens-aHiGFr_E.js';
 
 /**
  * @iqauth/sdk/express — drop-in Express adapter.
@@ -22,18 +22,89 @@ import 'jsonwebtoken';
  *   app.use(iqAuth({ publishableKey: process.env.IQAUTH_PUBLISHABLE_KEY!, secretKey: process.env.IQAUTH_SECRET_KEY! }));
  */
 
+interface InlineCallbackBrandedRenderArgs {
+    /** Issuer URL the SDK will use to mint the authorization code (publishable key origin). */
+    issuer: string;
+    /** Path of the JSON exchange endpoint to POST to (e.g. `/api/iqauth/callback/exchange`). */
+    exchangePath: string;
+    /** The raw `?code=` value from the OAuth redirect (already escaped for HTML). */
+    code: string;
+    /** The raw `?state=` value from the OAuth redirect (already escaped for HTML). */
+    state: string;
+    /** If `errorPath` is configured on the inline-callback options, it's threaded
+     * here so a custom render function can reuse it for its own catch handler.
+     * `""` when unset. */
+    errorPath?: string;
+}
+interface InlineCallbackBrandedConfig {
+    /**
+     * Optional override for the spinner page HTML. Receives the issuer URL, the
+     * exchange endpoint path, and the (HTML-escaped) `code` + `state` from the
+     * OAuth redirect. Returns a full HTML document. When omitted, a minimal
+     * neutral spinner is rendered.
+     */
+    render?: (args: InlineCallbackBrandedRenderArgs) => string;
+}
+interface InlineCallbackConfig {
+    /**
+     * When truthy, mount a GET-method handler on the same path as the POST
+     * callback so the OAuth redirect lands on a server-rendered page (no
+     * blank-tab while waiting for client JS). When `false`, only `POST` is
+     * mounted (the browser SDK posts the code + verifier itself).
+     *
+     * - `inlineCallback: true` — GET exchanges the code synchronously
+     *   (PKCE verifier read from the `iqauth_pkce` first-party cookie set by
+     *   the browser SDK before redirect) and 302s to the final URL.
+     *
+     * - `inlineCallback: { branded: true }` — GET returns a small spinner HTML
+     *   document; the exchange happens via a sibling JSON endpoint at
+     *   `${callbackPath}/exchange`.
+     *
+     * - `inlineCallback: { branded: { render } }` — same as above but lets
+     *   you supply your own HTML (logo, copy, theme).
+     */
+    branded?: boolean | InlineCallbackBrandedConfig;
+    /**
+     * Where to redirect on a failed inline callback (state mismatch, missing
+     * code, code-exchange error from the issuer, etc). When omitted, the
+     * plain inline flow returns a JSON error body and the branded flow
+     * surfaces the failure via the spinner script's catch handler. When set,
+     * the GET handler 302s to this path with `?error=<code>` appended.
+     */
+    errorPath?: string;
+    /**
+     * Cookie name the browser SDK uses to publish the OAuth `state` value
+     * before redirect. Validated against the `?state=` query param on the
+     * return trip. Defaults to `iqauth_state`.
+     */
+    stateCookieName?: string;
+    /**
+     * Cookie name the browser SDK uses to publish the post-login destination
+     * before redirect. The inline GET handler reads it and 302s the user
+     * there after a successful exchange. Defaults to `iqauth_return_to`.
+     */
+    returnToCookieName?: string;
+}
 interface IQAuthExpressOptions extends IQAuthHelperConfig, CookieAwareMiddlewareOptions {
     /** Mount path prefix for the auto-mounted helper routes. */
     mountPath?: string;
     /** Set to false to skip mounting helper routes (verify-only mode). */
     mountHelperRoutes?: boolean;
+    /**
+     * Mount a GET handler on the callback path so the OAuth redirect lands
+     * on a server-rendered page. Off by default (browser SDK posts the code
+     * itself). See {@link InlineCallbackConfig}.
+     */
+    inlineCallback?: boolean | InlineCallbackConfig;
 }
 interface ExpressLikeApp {
     post(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
+    get?(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
     use?: (...args: unknown[]) => unknown;
 }
 interface ExpressLikeRouter {
     post(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
+    get?(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
 }
 declare function iqAuth(options: IQAuthExpressOptions): {
     (req: IQAuthRequestLike, res: IQAuthResponseLike, next: IQAuthNextFunction): unknown;
@@ -42,4 +113,4 @@ declare function iqAuth(options: IQAuthExpressOptions): {
     client: IQAuthClient;
 };
 
-export { CookieAwareMiddlewareOptions, type IQAuthExpressOptions, iqAuth };
+export { CookieAwareMiddlewareOptions, type IQAuthExpressOptions, type InlineCallbackBrandedConfig, type InlineCallbackBrandedRenderArgs, type InlineCallbackConfig, iqAuth };