@iqauth/sdk 2.3.0 → 2.5.0

package/dist/browser.mjs

@@ -1,6 +1,28 @@
 import {
-  REFRESH_COOKIE,
+  PRIOR_SESSION_STORAGE_KEY,
+  enterImpersonation,
+  exitImpersonation,
+  reverify,
+  withReverification
+} from "./chunk-LIZYFXH7.mjs";
+import {
+  AccountRegistry,
+  MultiAccountTokenStore,
   SessionManager,
+  beginPasskeyAuthentication,
+  beginPasskeyRegistration,
+  enrollPasskey,
+  finishPasskeyAuthentication,
+  finishPasskeyRegistration,
+  linkProvider,
+  listLinkedIdentities,
+  requestMagicLink,
+  signInWithPasskey,
+  unlinkProvider,
+  verifyMagicLink
+} from "./chunk-76W5TLQQ.mjs";
+import {
+  REFRESH_COOKIE,
   buildSignInUrl,
   clearCookie,
   createPkcePair,
@@ -12,7 +34,7 @@ import {
   setCookie,
   signIn,
   signOut
-} from "./chunk-RACIPVLD.mjs";
+} from "./chunk-TKZTCPEK.mjs";
 import {
   encodePublishableKey,
   isPublishableKey,
@@ -25,23 +47,41 @@ import {
 } from "./chunk-6I6RM4MN.mjs";
 import "./chunk-Y6FXYEAI.mjs";
 export {
+  AccountRegistry,
   ErrorCodes,
   IQAuthError,
+  MultiAccountTokenStore,
+  PRIOR_SESSION_STORAGE_KEY,
   REFRESH_COOKIE,
   SessionManager,
+  beginPasskeyAuthentication,
+  beginPasskeyRegistration,
   buildSignInUrl,
   clearCookie,
   createPkcePair,
   encodePublishableKey,
+  enrollPasskey,
+  enterImpersonation,
+  exitImpersonation,
+  finishPasskeyAuthentication,
+  finishPasskeyRegistration,
   getCookie,
   handleAuthCallback,
   isPublishableKey,
   isSecretKey,
+  linkProvider,
+  listLinkedIdentities,
   parsePublishableKey,
   randomUrlSafe,
   redirectToSignIn,
+  requestMagicLink,
+  reverify,
   s256Challenge,
   setCookie,
   signIn,
-  signOut
+  signInWithPasskey,
+  signOut,
+  unlinkProvider,
+  verifyMagicLink,
+  withReverification
 };

package/dist/bundle-LUKDQYVQ.mjs

@@ -0,0 +1,374 @@
+import "./chunk-Y6FXYEAI.mjs";
+
+// ../../node_modules/@simplewebauthn/browser/dist/bundle/index.js
+function bufferToBase64URLString(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let str = "";
+  for (const charCode of bytes) {
+    str += String.fromCharCode(charCode);
+  }
+  const base64String = btoa(str);
+  return base64String.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function base64URLStringToBuffer(base64URLString) {
+  const base64 = base64URLString.replace(/-/g, "+").replace(/_/g, "/");
+  const padLength = (4 - base64.length % 4) % 4;
+  const padded = base64.padEnd(base64.length + padLength, "=");
+  const binary = atob(padded);
+  const buffer = new ArrayBuffer(binary.length);
+  const bytes = new Uint8Array(buffer);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return buffer;
+}
+function browserSupportsWebAuthn() {
+  return window?.PublicKeyCredential !== void 0 && typeof window.PublicKeyCredential === "function";
+}
+function toPublicKeyCredentialDescriptor(descriptor) {
+  const { id } = descriptor;
+  return {
+    ...descriptor,
+    id: base64URLStringToBuffer(id),
+    transports: descriptor.transports
+  };
+}
+function isValidDomain(hostname) {
+  return hostname === "localhost" || /^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$/i.test(hostname);
+}
+var WebAuthnError = class extends Error {
+  constructor({ message, code, cause, name }) {
+    super(message, { cause });
+    this.name = name ?? cause.name;
+    this.code = code;
+  }
+};
+function identifyRegistrationError({ error, options }) {
+  const { publicKey } = options;
+  if (!publicKey) {
+    throw Error("options was missing required publicKey property");
+  }
+  if (error.name === "AbortError") {
+    if (options.signal instanceof AbortSignal) {
+      return new WebAuthnError({
+        message: "Registration ceremony was sent an abort signal",
+        code: "ERROR_CEREMONY_ABORTED",
+        cause: error
+      });
+    }
+  } else if (error.name === "ConstraintError") {
+    if (publicKey.authenticatorSelection?.requireResidentKey === true) {
+      return new WebAuthnError({
+        message: "Discoverable credentials were required but no available authenticator supported it",
+        code: "ERROR_AUTHENTICATOR_MISSING_DISCOVERABLE_CREDENTIAL_SUPPORT",
+        cause: error
+      });
+    } else if (options.mediation === "conditional" && publicKey.authenticatorSelection?.userVerification === "required") {
+      return new WebAuthnError({
+        message: "User verification was required during automatic registration but it could not be performed",
+        code: "ERROR_AUTO_REGISTER_USER_VERIFICATION_FAILURE",
+        cause: error
+      });
+    } else if (publicKey.authenticatorSelection?.userVerification === "required") {
+      return new WebAuthnError({
+        message: "User verification was required but no available authenticator supported it",
+        code: "ERROR_AUTHENTICATOR_MISSING_USER_VERIFICATION_SUPPORT",
+        cause: error
+      });
+    }
+  } else if (error.name === "InvalidStateError") {
+    return new WebAuthnError({
+      message: "The authenticator was previously registered",
+      code: "ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED",
+      cause: error
+    });
+  } else if (error.name === "NotAllowedError") {
+    return new WebAuthnError({
+      message: error.message,
+      code: "ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY",
+      cause: error
+    });
+  } else if (error.name === "NotSupportedError") {
+    const validPubKeyCredParams = publicKey.pubKeyCredParams.filter((param) => param.type === "public-key");
+    if (validPubKeyCredParams.length === 0) {
+      return new WebAuthnError({
+        message: 'No entry in pubKeyCredParams was of type "public-key"',
+        code: "ERROR_MALFORMED_PUBKEYCREDPARAMS",
+        cause: error
+      });
+    }
+    return new WebAuthnError({
+      message: "No available authenticator supported any of the specified pubKeyCredParams algorithms",
+      code: "ERROR_AUTHENTICATOR_NO_SUPPORTED_PUBKEYCREDPARAMS_ALG",
+      cause: error
+    });
+  } else if (error.name === "SecurityError") {
+    const effectiveDomain = window.location.hostname;
+    if (!isValidDomain(effectiveDomain)) {
+      return new WebAuthnError({
+        message: `${window.location.hostname} is an invalid domain`,
+        code: "ERROR_INVALID_DOMAIN",
+        cause: error
+      });
+    } else if (publicKey.rp.id !== effectiveDomain) {
+      return new WebAuthnError({
+        message: `The RP ID "${publicKey.rp.id}" is invalid for this domain`,
+        code: "ERROR_INVALID_RP_ID",
+        cause: error
+      });
+    }
+  } else if (error.name === "TypeError") {
+    if (publicKey.user.id.byteLength < 1 || publicKey.user.id.byteLength > 64) {
+      return new WebAuthnError({
+        message: "User ID was not between 1 and 64 characters",
+        code: "ERROR_INVALID_USER_ID_LENGTH",
+        cause: error
+      });
+    }
+  } else if (error.name === "UnknownError") {
+    return new WebAuthnError({
+      message: "The authenticator was unable to process the specified options, or could not create a new credential",
+      code: "ERROR_AUTHENTICATOR_GENERAL_ERROR",
+      cause: error
+    });
+  }
+  return error;
+}
+var BaseWebAuthnAbortService = class {
+  createNewAbortSignal() {
+    if (this.controller) {
+      const abortError = new Error("Cancelling existing WebAuthn API call for new one");
+      abortError.name = "AbortError";
+      this.controller.abort(abortError);
+    }
+    const newController = new AbortController();
+    this.controller = newController;
+    return newController.signal;
+  }
+  cancelCeremony() {
+    if (this.controller) {
+      const abortError = new Error("Manually cancelling existing WebAuthn API call");
+      abortError.name = "AbortError";
+      this.controller.abort(abortError);
+      this.controller = void 0;
+    }
+  }
+};
+var WebAuthnAbortService = new BaseWebAuthnAbortService();
+var attachments = ["cross-platform", "platform"];
+function toAuthenticatorAttachment(attachment) {
+  if (!attachment) {
+    return;
+  }
+  if (attachments.indexOf(attachment) < 0) {
+    return;
+  }
+  return attachment;
+}
+async function startRegistration(options) {
+  const { optionsJSON, useAutoRegister = false } = options;
+  if (!browserSupportsWebAuthn()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  const publicKey = {
+    ...optionsJSON,
+    challenge: base64URLStringToBuffer(optionsJSON.challenge),
+    user: {
+      ...optionsJSON.user,
+      id: base64URLStringToBuffer(optionsJSON.user.id)
+    },
+    excludeCredentials: optionsJSON.excludeCredentials?.map(toPublicKeyCredentialDescriptor)
+  };
+  const createOptions = {};
+  if (useAutoRegister) {
+    createOptions.mediation = "conditional";
+  }
+  createOptions.publicKey = publicKey;
+  createOptions.signal = WebAuthnAbortService.createNewAbortSignal();
+  let credential;
+  try {
+    credential = await navigator.credentials.create(createOptions);
+  } catch (err) {
+    throw identifyRegistrationError({ error: err, options: createOptions });
+  }
+  if (!credential) {
+    throw new Error("Registration was not completed");
+  }
+  const { id, rawId, response, type } = credential;
+  let transports = void 0;
+  if (typeof response.getTransports === "function") {
+    transports = response.getTransports();
+  }
+  let responsePublicKeyAlgorithm = void 0;
+  if (typeof response.getPublicKeyAlgorithm === "function") {
+    try {
+      responsePublicKeyAlgorithm = response.getPublicKeyAlgorithm();
+    } catch (error) {
+      warnOnBrokenImplementation("getPublicKeyAlgorithm()", error);
+    }
+  }
+  let responsePublicKey = void 0;
+  if (typeof response.getPublicKey === "function") {
+    try {
+      const _publicKey = response.getPublicKey();
+      if (_publicKey !== null) {
+        responsePublicKey = bufferToBase64URLString(_publicKey);
+      }
+    } catch (error) {
+      warnOnBrokenImplementation("getPublicKey()", error);
+    }
+  }
+  let responseAuthenticatorData;
+  if (typeof response.getAuthenticatorData === "function") {
+    try {
+      responseAuthenticatorData = bufferToBase64URLString(response.getAuthenticatorData());
+    } catch (error) {
+      warnOnBrokenImplementation("getAuthenticatorData()", error);
+    }
+  }
+  return {
+    id,
+    rawId: bufferToBase64URLString(rawId),
+    response: {
+      attestationObject: bufferToBase64URLString(response.attestationObject),
+      clientDataJSON: bufferToBase64URLString(response.clientDataJSON),
+      transports,
+      publicKeyAlgorithm: responsePublicKeyAlgorithm,
+      publicKey: responsePublicKey,
+      authenticatorData: responseAuthenticatorData
+    },
+    type,
+    clientExtensionResults: credential.getClientExtensionResults(),
+    authenticatorAttachment: toAuthenticatorAttachment(credential.authenticatorAttachment)
+  };
+}
+function warnOnBrokenImplementation(methodName, cause) {
+  console.warn(`The browser extension that intercepted this WebAuthn API call incorrectly implemented ${methodName}. You should report this error to them.
+`, cause);
+}
+function browserSupportsWebAuthnAutofill() {
+  if (!browserSupportsWebAuthn()) {
+    return new Promise((resolve) => resolve(false));
+  }
+  const globalPublicKeyCredential = window.PublicKeyCredential;
+  if (globalPublicKeyCredential.isConditionalMediationAvailable === void 0) {
+    return new Promise((resolve) => resolve(false));
+  }
+  return globalPublicKeyCredential.isConditionalMediationAvailable();
+}
+function identifyAuthenticationError({ error, options }) {
+  const { publicKey } = options;
+  if (!publicKey) {
+    throw Error("options was missing required publicKey property");
+  }
+  if (error.name === "AbortError") {
+    if (options.signal instanceof AbortSignal) {
+      return new WebAuthnError({
+        message: "Authentication ceremony was sent an abort signal",
+        code: "ERROR_CEREMONY_ABORTED",
+        cause: error
+      });
+    }
+  } else if (error.name === "NotAllowedError") {
+    return new WebAuthnError({
+      message: error.message,
+      code: "ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY",
+      cause: error
+    });
+  } else if (error.name === "SecurityError") {
+    const effectiveDomain = window.location.hostname;
+    if (!isValidDomain(effectiveDomain)) {
+      return new WebAuthnError({
+        message: `${window.location.hostname} is an invalid domain`,
+        code: "ERROR_INVALID_DOMAIN",
+        cause: error
+      });
+    } else if (publicKey.rpId !== effectiveDomain) {
+      return new WebAuthnError({
+        message: `The RP ID "${publicKey.rpId}" is invalid for this domain`,
+        code: "ERROR_INVALID_RP_ID",
+        cause: error
+      });
+    }
+  } else if (error.name === "UnknownError") {
+    return new WebAuthnError({
+      message: "The authenticator was unable to process the specified options, or could not create a new assertion signature",
+      code: "ERROR_AUTHENTICATOR_GENERAL_ERROR",
+      cause: error
+    });
+  }
+  return error;
+}
+async function startAuthentication(options) {
+  const { optionsJSON, useBrowserAutofill = false, verifyBrowserAutofillInput = true } = options;
+  if (!browserSupportsWebAuthn()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  let allowCredentials;
+  if (optionsJSON.allowCredentials?.length !== 0) {
+    allowCredentials = optionsJSON.allowCredentials?.map(toPublicKeyCredentialDescriptor);
+  }
+  const publicKey = {
+    ...optionsJSON,
+    challenge: base64URLStringToBuffer(optionsJSON.challenge),
+    allowCredentials
+  };
+  const getOptions = {};
+  if (useBrowserAutofill) {
+    if (!await browserSupportsWebAuthnAutofill()) {
+      throw Error("Browser does not support WebAuthn autofill");
+    }
+    const eligibleInputs = document.querySelectorAll("input[autocomplete$='webauthn']");
+    if (eligibleInputs.length < 1 && verifyBrowserAutofillInput) {
+      throw Error('No <input> with "webauthn" as the only or last value in its `autocomplete` attribute was detected');
+    }
+    getOptions.mediation = "conditional";
+    publicKey.allowCredentials = [];
+  }
+  getOptions.publicKey = publicKey;
+  getOptions.signal = WebAuthnAbortService.createNewAbortSignal();
+  let credential;
+  try {
+    credential = await navigator.credentials.get(getOptions);
+  } catch (err) {
+    throw identifyAuthenticationError({ error: err, options: getOptions });
+  }
+  if (!credential) {
+    throw new Error("Authentication was not completed");
+  }
+  const { id, rawId, response, type } = credential;
+  let userHandle = void 0;
+  if (response.userHandle) {
+    userHandle = bufferToBase64URLString(response.userHandle);
+  }
+  return {
+    id,
+    rawId: bufferToBase64URLString(rawId),
+    response: {
+      authenticatorData: bufferToBase64URLString(response.authenticatorData),
+      clientDataJSON: bufferToBase64URLString(response.clientDataJSON),
+      signature: bufferToBase64URLString(response.signature),
+      userHandle
+    },
+    type,
+    clientExtensionResults: credential.getClientExtensionResults(),
+    authenticatorAttachment: toAuthenticatorAttachment(credential.authenticatorAttachment)
+  };
+}
+function platformAuthenticatorIsAvailable() {
+  if (!browserSupportsWebAuthn()) {
+    return new Promise((resolve) => resolve(false));
+  }
+  return PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();
+}
+export {
+  WebAuthnAbortService,
+  WebAuthnError,
+  base64URLStringToBuffer,
+  browserSupportsWebAuthn,
+  browserSupportsWebAuthnAutofill,
+  bufferToBase64URLString,
+  platformAuthenticatorIsAvailable,
+  startAuthentication,
+  startRegistration
+};

package/dist/chunk-3JULWS6F.mjs

@@ -0,0 +1,106 @@
+import {
+  assertPublishableKey
+} from "./chunk-WQWBJSSS.mjs";
+import {
+  TokensModule
+} from "./chunk-UNYDG2L4.mjs";
+import {
+  IQAuthError
+} from "./chunk-6I6RM4MN.mjs";
+
+// src/ws.ts
+var DEFAULT_COOKIE = "iqauth_at";
+var DEFAULT_SUBPROTOCOL_PREFIX = "iqauth.bearer.";
+var JWT_SHAPE = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/;
+var tokensByIssuer = /* @__PURE__ */ new Map();
+function getTokens(issuer) {
+  let mod = tokensByIssuer.get(issuer);
+  if (!mod) {
+    mod = new TokensModule(issuer);
+    tokensByIssuer.set(issuer, mod);
+  }
+  return mod;
+}
+function firstHeader(value) {
+  if (Array.isArray(value)) return value[0];
+  return value;
+}
+function readCookie(cookieHeader, name) {
+  if (!cookieHeader) return void 0;
+  const target = `${name}=`;
+  for (const seg of cookieHeader.split(";")) {
+    const t = seg.trim();
+    if (t.startsWith(target)) {
+      try {
+        return decodeURIComponent(t.slice(target.length));
+      } catch {
+        return t.slice(target.length);
+      }
+    }
+  }
+  return void 0;
+}
+function extractToken(req, cookieName, subprotocolPrefix) {
+  let authHeader;
+  let cookieHeader;
+  let subprotoHeader;
+  if ("headers" in req && req.headers && typeof req.headers === "object") {
+    authHeader = firstHeader(req.headers.authorization);
+    cookieHeader = firstHeader(req.headers.cookie);
+    subprotoHeader = firstHeader(req.headers["sec-websocket-protocol"]);
+  } else {
+    const r = req;
+    authHeader = r.authorization;
+    cookieHeader = r.cookie;
+    subprotoHeader = r.secWebSocketProtocol;
+  }
+  if (authHeader && /^Bearer /i.test(authHeader)) {
+    return authHeader.slice(7).trim();
+  }
+  if (cookieName && cookieHeader) {
+    const fromCookie = readCookie(cookieHeader, cookieName);
+    if (fromCookie) return fromCookie;
+  }
+  if (subprotocolPrefix !== null && subprotoHeader) {
+    const protos = subprotoHeader.split(",").map((s) => s.trim()).filter(Boolean);
+    for (const proto of protos) {
+      if (subprotocolPrefix && proto.startsWith(subprotocolPrefix)) {
+        return proto.slice(subprotocolPrefix.length);
+      }
+      if (JWT_SHAPE.test(proto)) return proto;
+    }
+  }
+  return void 0;
+}
+async function verifyWsUpgrade(req, options) {
+  const parsed = assertPublishableKey(options.publishableKey, {
+    context: "@iqauth/sdk/ws"
+  });
+  const issuer = (options.issuer && typeof options.issuer === "string" ? options.issuer : parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`).replace(/\/+$/, "");
+  const cookieName = options.cookieName === void 0 ? DEFAULT_COOKIE : options.cookieName;
+  const subprotocolPrefix = options.subprotocolPrefix === void 0 ? DEFAULT_SUBPROTOCOL_PREFIX : options.subprotocolPrefix;
+  const token = extractToken(req, cookieName, subprotocolPrefix);
+  if (!token) return null;
+  const tokens = getTokens(issuer);
+  try {
+    const verifyOpts = {};
+    if (options.audience !== void 0) verifyOpts.audience = options.audience;
+    verifyOpts.issuer = options.issuer ?? issuer;
+    if (options.clockTolerance !== void 0)
+      verifyOpts.clockTolerance = options.clockTolerance;
+    if (options.algorithms !== void 0) verifyOpts.algorithms = options.algorithms;
+    const claims = await tokens.verify(token, verifyOpts);
+    return { claims };
+  } catch (err) {
+    if (err instanceof IQAuthError) return null;
+    return null;
+  }
+}
+function _resetWsVerifierCache() {
+  tokensByIssuer.clear();
+}
+
+export {
+  verifyWsUpgrade,
+  _resetWsVerifierCache
+};