@iqauth/sdk 2.6.4 → 2.7.0

package/dist/next.mjs

@@ -2,15 +2,16 @@ import {
   handleCallback,
   handleRefresh,
   handleSignout,
+  handleUserinfo,
   serializeCookie
-} from "./chunk-6TDJJER7.mjs";
+} from "./chunk-RUJXRTEW.mjs";
 import {
   assertPublishableKey
-} from "./chunk-WQWBJSSS.mjs";
+} from "./chunk-HVHNYPDC.mjs";
 import {
   TokensModule
-} from "./chunk-UNYDG2L4.mjs";
-import "./chunk-6I6RM4MN.mjs";
+} from "./chunk-NUO2I65G.mjs";
+import "./chunk-6PJRLRB4.mjs";
 import "./chunk-Y6FXYEAI.mjs";
 
 // src/next.ts
@@ -43,8 +44,19 @@ function handler(options) {
   return async (req) => {
     const url = new URL(req.url);
     const action = url.pathname.split("/").pop();
-    const body = await req.json().catch(() => ({}));
     const cookieHeader = req.headers.get("cookie");
+    if (action === "me" && req.method === "GET") {
+      if (!options.mountUserinfo) {
+        return new Response(JSON.stringify({ success: false, error: { code: "NOT_FOUND", message: "userinfo route not enabled" } }), {
+          status: 404,
+          headers: { "Content-Type": "application/json" }
+        });
+      }
+      const auth = req.headers.get("authorization");
+      const accessToken = auth && auth.replace(/^Bearer /i, "") || readCookieFromHeader(cookieHeader, accessCookie);
+      return toResponse(await handleUserinfo(helperConfig, { accessToken, req }));
+    }
+    const body = await req.json().catch(() => ({}));
     if (action === "callback") {
       return toResponse(await handleCallback(helperConfig, {
         code: body.code,
@@ -54,12 +66,15 @@ function handler(options) {
     }
     if (action === "refresh") {
       const refreshToken = body.refreshToken || readCookieFromHeader(cookieHeader, refreshCookie);
-      return toResponse(await handleRefresh(helperConfig, { refreshToken }));
+      const idempotencyToken = req.headers.get("x-iqauth-idempotency") || body.idempotencyToken;
+      return toResponse(await handleRefresh(helperConfig, { refreshToken, idempotencyToken: idempotencyToken ?? void 0 }));
     }
     if (action === "signout") {
       const auth = req.headers.get("authorization");
       const accessToken = auth && auth.replace(/^Bearer /i, "") || readCookieFromHeader(cookieHeader, accessCookie);
-      return toResponse(await handleSignout(helperConfig, { accessToken, ssoCookieHeader: cookieHeader ?? void 0 }));
+      const refreshToken = readCookieFromHeader(cookieHeader, refreshCookie);
+      const idempotencyToken = req.headers.get("x-iqauth-idempotency") ?? void 0;
+      return toResponse(await handleSignout(helperConfig, { accessToken, refreshToken, idempotencyToken, ssoCookieHeader: cookieHeader ?? void 0 }));
     }
     return new Response(JSON.stringify({ success: false, error: { code: "NOT_FOUND", message: `Unknown action: ${action}` } }), {
       status: 404,

package/dist/{provisioningBridge-DnTfzdZK.d.ts → provisioningBridge-CGpMRie4.d.ts}

@@ -1,4 +1,4 @@
-import { J as JwtClaims } from './types-DZAflmmq.js';
+import { J as JwtClaims } from './types-XOV9XPVi.js';
 
 /**
  * createProvisioningBridge — server-side helper that lifts the

package/dist/{provisioningBridge-88xjOS2n.d.mts → provisioningBridge-M5G47LWO.d.mts}

@@ -1,4 +1,4 @@
-import { J as JwtClaims } from './types-DZAflmmq.mjs';
+import { J as JwtClaims } from './types-XOV9XPVi.mjs';
 
 /**
  * createProvisioningBridge — server-side helper that lifts the

package/dist/{publishableKey-BaR0HoAH.d.ts → publishableKey-f2kq-rKw.d.mts}

@@ -20,7 +20,7 @@ declare function encodePublishableKey(mode: KeyMode, payload: PublishableKeyPayl
 declare function parsePublishableKey(raw: string): ParsedPublishableKey | null;
 /**
  * Strict counterpart to `parsePublishableKey` — throws a typed `IQAuthError`
- * (`code: "CONFIG_INVALID"`) with an actionable message when the key is
+ * (`code: "config_invalid"`) with an actionable message when the key is
  * missing, malformed, or encodes a non-URL `iss`. Use this at SDK init so a
  * bad key fails loudly at boot instead of cryptically at first verify.
  */

package/dist/{publishableKey-BaR0HoAH.d.mts → publishableKey-f2kq-rKw.d.ts}

@@ -20,7 +20,7 @@ declare function encodePublishableKey(mode: KeyMode, payload: PublishableKeyPayl
 declare function parsePublishableKey(raw: string): ParsedPublishableKey | null;
 /**
  * Strict counterpart to `parsePublishableKey` — throws a typed `IQAuthError`
- * (`code: "CONFIG_INVALID"`) with an actionable message when the key is
+ * (`code: "config_invalid"`) with an actionable message when the key is
  * missing, malformed, or encodes a non-URL `iss`. Use this at SDK init so a
  * bad key fails loudly at boot instead of cryptically at first verify.
  */

package/dist/react-permissions.d.mts

@@ -0,0 +1,52 @@
+import { S as SessionError } from './index-CKoZHAoc.mjs';
+import 'csstype';
+import 'react/jsx-runtime';
+import 'react';
+import './signIn-T-CZ6t6r.mjs';
+import './publishableKey-f2kq-rKw.mjs';
+import './types-XOV9XPVi.mjs';
+import './types-BdQ2lqfT.mjs';
+
+interface UseEffectivePermissionsOptions {
+    /**
+     * App key (OIDC client_id / manifest key) the permissions should be
+     * resolved against. Required — permissions in IQAuth are app-scoped.
+     */
+    appKey: string;
+    /** Disable the network fetch (claims fallback still applies). */
+    enabled?: boolean;
+    /** Stale window in ms. Default 5min. */
+    staleTime?: number;
+    /**
+     * Override the issuer URL the hook calls. Defaults to the issuer the
+     * provider was booted with.
+     */
+    issuer?: string;
+}
+interface UseEffectivePermissionsResult {
+    /** Normalized, wildcard-collapsed set of granted permission ids. */
+    permissions: string[];
+    /** Wildcard-aware membership check. Identical semantics on server. */
+    hasPermission: (id: string) => boolean;
+    /** True only while a fetch is actively in flight (and no cached data yet). */
+    isLoading: boolean;
+    /** Last fetch error, if any. Cleared on next successful refetch. */
+    error: SessionError | null;
+    /** Force a refetch, bypassing the staleTime window. */
+    refetch: () => Promise<void>;
+}
+/**
+ * Canonical hook for resolving the *full* effective permission set of the
+ * signed-in user against a single app. Use this whenever the JWT
+ * `entitlements` claim is too small (apps with hundreds of nodes can't fit
+ * them in the token).
+ *
+ * Requires a `<QueryClientProvider>` (`@tanstack/react-query`) somewhere
+ * above this hook in the tree.
+ *
+ * Returns `{ permissions, hasPermission, isLoading, error, refetch }`.
+ * `hasPermission` honours wildcard semantics (`*`, `metrics.*`).
+ */
+declare function useEffectivePermissions(opts: UseEffectivePermissionsOptions): UseEffectivePermissionsResult;
+
+export { type UseEffectivePermissionsOptions, type UseEffectivePermissionsResult, useEffectivePermissions };

package/dist/react-permissions.d.ts

@@ -0,0 +1,52 @@
+import { S as SessionError } from './index-5KSZEnDe.js';
+import 'csstype';
+import 'react/jsx-runtime';
+import 'react';
+import './signIn-BLFnz8SV.js';
+import './publishableKey-f2kq-rKw.js';
+import './types-XOV9XPVi.js';
+import './types-BdQ2lqfT.js';
+
+interface UseEffectivePermissionsOptions {
+    /**
+     * App key (OIDC client_id / manifest key) the permissions should be
+     * resolved against. Required — permissions in IQAuth are app-scoped.
+     */
+    appKey: string;
+    /** Disable the network fetch (claims fallback still applies). */
+    enabled?: boolean;
+    /** Stale window in ms. Default 5min. */
+    staleTime?: number;
+    /**
+     * Override the issuer URL the hook calls. Defaults to the issuer the
+     * provider was booted with.
+     */
+    issuer?: string;
+}
+interface UseEffectivePermissionsResult {
+    /** Normalized, wildcard-collapsed set of granted permission ids. */
+    permissions: string[];
+    /** Wildcard-aware membership check. Identical semantics on server. */
+    hasPermission: (id: string) => boolean;
+    /** True only while a fetch is actively in flight (and no cached data yet). */
+    isLoading: boolean;
+    /** Last fetch error, if any. Cleared on next successful refetch. */
+    error: SessionError | null;
+    /** Force a refetch, bypassing the staleTime window. */
+    refetch: () => Promise<void>;
+}
+/**
+ * Canonical hook for resolving the *full* effective permission set of the
+ * signed-in user against a single app. Use this whenever the JWT
+ * `entitlements` claim is too small (apps with hundreds of nodes can't fit
+ * them in the token).
+ *
+ * Requires a `<QueryClientProvider>` (`@tanstack/react-query`) somewhere
+ * above this hook in the tree.
+ *
+ * Returns `{ permissions, hasPermission, isLoading, error, refetch }`.
+ * `hasPermission` honours wildcard semantics (`*`, `metrics.*`).
+ */
+declare function useEffectivePermissions(opts: UseEffectivePermissionsOptions): UseEffectivePermissionsResult;
+
+export { type UseEffectivePermissionsOptions, type UseEffectivePermissionsResult, useEffectivePermissions };

package/dist/react-permissions.js

@@ -0,0 +1,239 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/errors.ts
+var init_errors = __esm({
+  "src/errors.ts"() {
+    "use strict";
+  }
+});
+
+// src/browser/storage.ts
+var init_storage = __esm({
+  "src/browser/storage.ts"() {
+    "use strict";
+  }
+});
+
+// src/browser/pkce.ts
+var init_pkce = __esm({
+  "src/browser/pkce.ts"() {
+    "use strict";
+  }
+});
+
+// src/browser/signIn.ts
+var init_signIn = __esm({
+  "src/browser/signIn.ts"() {
+    "use strict";
+    init_pkce();
+    init_storage();
+  }
+});
+
+// src/react-permissions.ts
+var react_permissions_exports = {};
+__export(react_permissions_exports, {
+  useEffectivePermissions: () => useEffectivePermissions
+});
+module.exports = __toCommonJS(react_permissions_exports);
+
+// src/react/permissions.tsx
+var import_react2 = require("react");
+var import_react_query = require("@tanstack/react-query");
+
+// src/permissions/wildcard.ts
+var SUFFIX = ".*";
+function wildcardPrefix(pattern) {
+  return pattern.slice(0, -SUFFIX.length);
+}
+function hasPermission(set, id) {
+  if (!id) return false;
+  if (!set) return false;
+  if (id === "*") {
+    for (const entry of set) if (entry === "*") return true;
+    return false;
+  }
+  const queryIsWildcard = id.endsWith(SUFFIX);
+  const queryPrefix = queryIsWildcard ? wildcardPrefix(id) : null;
+  for (const entry of set) {
+    if (!entry) continue;
+    if (entry === "*") return true;
+    if (entry === id) return true;
+    if (entry.endsWith(SUFFIX)) {
+      const prefix = wildcardPrefix(entry);
+      if (!queryIsWildcard) {
+        if (id === prefix) return true;
+        if (id.startsWith(prefix + ".")) return true;
+      } else {
+        if (queryPrefix === prefix) return true;
+        if (queryPrefix !== null && queryPrefix.startsWith(prefix + ".")) return true;
+      }
+    }
+  }
+  return false;
+}
+function expandPermissions(set) {
+  if (!set) return [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const raw of set) {
+    if (typeof raw !== "string" || raw.length === 0) continue;
+    seen.add(raw);
+  }
+  if (seen.has("*")) return ["*"];
+  const wildcards = [];
+  for (const entry of seen) if (entry.endsWith(SUFFIX)) wildcards.push(entry);
+  const out = [];
+  for (const entry of seen) {
+    let covered = false;
+    for (const w of wildcards) {
+      if (w === entry) continue;
+      const prefix = wildcardPrefix(w);
+      if (entry === prefix) {
+        covered = true;
+        break;
+      }
+      if (entry.startsWith(prefix + ".")) {
+        covered = true;
+        break;
+      }
+    }
+    if (!covered) out.push(entry);
+  }
+  out.sort();
+  return out;
+}
+
+// src/react/index.tsx
+var import_react = require("react");
+
+// src/browser/sessionManager.ts
+init_errors();
+
+// src/publishableKey.ts
+init_errors();
+
+// src/browser/sessionManager.ts
+init_storage();
+
+// src/react/index.tsx
+init_signIn();
+
+// src/browser/accountRegistry.ts
+init_storage();
+var COOKIE_MAX_AGE = 60 * 60 * 24 * 30;
+
+// src/react/index.tsx
+var import_jsx_runtime = require("react/jsx-runtime");
+var IQAuthContext = (0, import_react.createContext)(null);
+function __useIQAuthInternal() {
+  return useCtx();
+}
+function useCtx() {
+  const ctx = (0, import_react.useContext)(IQAuthContext);
+  if (!ctx) throw new Error("IQAuth hooks must be used inside <IQAuthProvider>");
+  return ctx;
+}
+var MultisessionContext = (0, import_react.createContext)(null);
+var SDK_CSS_MAX_LEN = 50 * 1024;
+
+// src/react/permissions.tsx
+var DEFAULT_PERMS_STALE_MS = 5 * 60 * 1e3;
+function projectAllowedScopes(rows) {
+  if (!Array.isArray(rows)) return [];
+  const allowed = [];
+  const denied = /* @__PURE__ */ new Set();
+  for (const r of rows) {
+    if (!r || typeof r.scope !== "string" || !r.scope) continue;
+    if (r.effect === "deny") denied.add(r.scope);
+    else allowed.push(r.scope);
+  }
+  return expandPermissions(allowed.filter((s) => !denied.has(s)));
+}
+function useEffectivePermissions(opts) {
+  const { manager, snapshot } = __useIQAuthInternal();
+  const { appKey, enabled = true, staleTime = DEFAULT_PERMS_STALE_MS, issuer } = opts;
+  const claims = snapshot.claims;
+  const isPlatformAdmin = Array.isArray(claims?.roles) && claims.roles.includes("platform_admin");
+  const userId = snapshot.user?.sub ?? null;
+  const tenantId = snapshot.tenantId ?? claims?.tenantId ?? null;
+  const issuerUrl = (issuer ?? manager.issuerUrl).replace(/\/$/, "");
+  const queryEnabled = enabled && !!userId && !!tenantId && !!appKey && !isPlatformAdmin;
+  const query = (0, import_react_query.useQuery)({
+    queryKey: ["iqauth", "effective-permissions", issuerUrl, tenantId, userId, appKey],
+    queryFn: async () => {
+      const url = `${issuerUrl}/api/v1/tenants/${encodeURIComponent(tenantId)}/users/${encodeURIComponent(userId)}/permissions/effective?appKey=${encodeURIComponent(appKey)}`;
+      const res = await manager.fetch(url);
+      const json = await res.json().catch(() => ({}));
+      if (!res.ok) {
+        const code = json?.error?.code || `HTTP_${res.status}`;
+        const message = json?.error?.message || `HTTP ${res.status}`;
+        const e = { code, message };
+        throw e;
+      }
+      const rows = Array.isArray(json) ? json : json?.data ?? [];
+      return projectAllowedScopes(rows);
+    },
+    enabled: queryEnabled,
+    staleTime,
+    refetchOnWindowFocus: false,
+    retry: false
+  });
+  const refetch = (0, import_react2.useCallback)(async () => {
+    if (!queryEnabled) return;
+    await query.refetch();
+  }, [query, queryEnabled]);
+  return (0, import_react2.useMemo)(() => {
+    if (isPlatformAdmin) {
+      return {
+        permissions: ["*"],
+        hasPermission: () => true,
+        isLoading: false,
+        error: null,
+        refetch
+      };
+    }
+    const fetched = query.data;
+    const perms = fetched ?? expandPermissions(claims?.entitlements ?? []);
+    const isLoading = queryEnabled && query.isLoading;
+    const error = query.error ? "code" in query.error && typeof query.error.code === "string" ? query.error : { code: "PERMISSIONS_FETCH_FAILED", message: query.error.message || "Failed to fetch permissions" } : null;
+    return {
+      permissions: perms,
+      hasPermission: (id) => hasPermission(perms, id),
+      isLoading,
+      error,
+      refetch
+    };
+  }, [
+    isPlatformAdmin,
+    queryEnabled,
+    query.data,
+    query.isLoading,
+    query.error,
+    claims?.entitlements,
+    refetch
+  ]);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  useEffectivePermissions
+});

package/dist/react-permissions.mjs

@@ -0,0 +1,97 @@
+import {
+  __useIQAuthInternal
+} from "./chunk-RR2MGPTK.mjs";
+import "./chunk-RTJAIBXY.mjs";
+import "./chunk-GN37E64I.mjs";
+import "./chunk-C2ZTBOAC.mjs";
+import {
+  expandPermissions,
+  hasPermission
+} from "./chunk-GLXSIGVS.mjs";
+import "./chunk-HVHNYPDC.mjs";
+import "./chunk-5T7GHBX6.mjs";
+import "./chunk-6PJRLRB4.mjs";
+import "./chunk-Y6FXYEAI.mjs";
+
+// src/react/permissions.tsx
+import { useCallback, useMemo } from "react";
+import { useQuery } from "@tanstack/react-query";
+var DEFAULT_PERMS_STALE_MS = 5 * 60 * 1e3;
+function projectAllowedScopes(rows) {
+  if (!Array.isArray(rows)) return [];
+  const allowed = [];
+  const denied = /* @__PURE__ */ new Set();
+  for (const r of rows) {
+    if (!r || typeof r.scope !== "string" || !r.scope) continue;
+    if (r.effect === "deny") denied.add(r.scope);
+    else allowed.push(r.scope);
+  }
+  return expandPermissions(allowed.filter((s) => !denied.has(s)));
+}
+function useEffectivePermissions(opts) {
+  const { manager, snapshot } = __useIQAuthInternal();
+  const { appKey, enabled = true, staleTime = DEFAULT_PERMS_STALE_MS, issuer } = opts;
+  const claims = snapshot.claims;
+  const isPlatformAdmin = Array.isArray(claims?.roles) && claims.roles.includes("platform_admin");
+  const userId = snapshot.user?.sub ?? null;
+  const tenantId = snapshot.tenantId ?? claims?.tenantId ?? null;
+  const issuerUrl = (issuer ?? manager.issuerUrl).replace(/\/$/, "");
+  const queryEnabled = enabled && !!userId && !!tenantId && !!appKey && !isPlatformAdmin;
+  const query = useQuery({
+    queryKey: ["iqauth", "effective-permissions", issuerUrl, tenantId, userId, appKey],
+    queryFn: async () => {
+      const url = `${issuerUrl}/api/v1/tenants/${encodeURIComponent(tenantId)}/users/${encodeURIComponent(userId)}/permissions/effective?appKey=${encodeURIComponent(appKey)}`;
+      const res = await manager.fetch(url);
+      const json = await res.json().catch(() => ({}));
+      if (!res.ok) {
+        const code = json?.error?.code || `HTTP_${res.status}`;
+        const message = json?.error?.message || `HTTP ${res.status}`;
+        const e = { code, message };
+        throw e;
+      }
+      const rows = Array.isArray(json) ? json : json?.data ?? [];
+      return projectAllowedScopes(rows);
+    },
+    enabled: queryEnabled,
+    staleTime,
+    refetchOnWindowFocus: false,
+    retry: false
+  });
+  const refetch = useCallback(async () => {
+    if (!queryEnabled) return;
+    await query.refetch();
+  }, [query, queryEnabled]);
+  return useMemo(() => {
+    if (isPlatformAdmin) {
+      return {
+        permissions: ["*"],
+        hasPermission: () => true,
+        isLoading: false,
+        error: null,
+        refetch
+      };
+    }
+    const fetched = query.data;
+    const perms = fetched ?? expandPermissions(claims?.entitlements ?? []);
+    const isLoading = queryEnabled && query.isLoading;
+    const error = query.error ? "code" in query.error && typeof query.error.code === "string" ? query.error : { code: "PERMISSIONS_FETCH_FAILED", message: query.error.message || "Failed to fetch permissions" } : null;
+    return {
+      permissions: perms,
+      hasPermission: (id) => hasPermission(perms, id),
+      isLoading,
+      error,
+      refetch
+    };
+  }, [
+    isPlatformAdmin,
+    queryEnabled,
+    query.data,
+    query.isLoading,
+    query.error,
+    claims?.entitlements,
+    refetch
+  ]);
+}
+export {
+  useEffectivePermissions
+};