@iqauth/sdk 2.6.4 → 2.8.1

package/dist/fastify.mjs

@@ -1,29 +1,37 @@
+import {
+  sanitizeReturnTo
+} from "./chunk-JRDVUWAL.mjs";
 import {
   handleCallback,
   handleRefresh,
   handleSignout,
+  handleUserinfo,
   serializeCookie
-} from "./chunk-6TDJJER7.mjs";
+} from "./chunk-WSH4SW7F.mjs";
 import {
   assertPublishableKey
-} from "./chunk-WQWBJSSS.mjs";
+} from "./chunk-HVHNYPDC.mjs";
 import {
   IQAuthClient
-} from "./chunk-W3F4JYGP.mjs";
-import "./chunk-UNYDG2L4.mjs";
+} from "./chunk-ZLJPABB7.mjs";
+import "./chunk-NUO2I65G.mjs";
 import {
   IQAuthError
-} from "./chunk-6I6RM4MN.mjs";
+} from "./chunk-6PJRLRB4.mjs";
 import "./chunk-Y6FXYEAI.mjs";
 
 // src/fastify.ts
+var PKCE_COOKIE = "iqauth_pkce";
 var KNOWN_AUTH_ERRORS = /* @__PURE__ */ new Set([
   "TOKEN_INVALID",
   "TOKEN_EXPIRED",
   "TOKEN_REVOKED",
   "SESSION_EXPIRED",
   "SESSION_INVALID",
-  "AUTH_REQUIRED"
+  "AUTH_REQUIRED",
+  // Task #127 — typed `IQAuthErrorCode` taxonomy.
+  "token_invalid",
+  "token_expired"
 ]);
 function applyResponse(reply, hr) {
   for (const c of hr.cookies) {
@@ -35,6 +43,54 @@ function applyResponse(reply, hr) {
   }
   reply.code(hr.status).send(hr.body);
 }
+function applyCallbackResponse(reply, hr, requestOrigin, returnToCookieValue, returnToCookieName) {
+  const returnTo = sanitizeReturnTo(
+    returnToCookieValue || hr.body?.returnTo,
+    { currentOrigin: requestOrigin, fallback: "/" }
+  );
+  for (const c of hr.cookies) {
+    const cookie = serializeCookie(c);
+    const existing = reply.getHeader?.("set-cookie") ?? [];
+    const list = Array.isArray(existing) ? existing : [existing];
+    list.push(cookie);
+    reply.header("set-cookie", list);
+  }
+  if (hr.status < 400) {
+    const existing = reply.getHeader?.("set-cookie") ?? [];
+    const list = Array.isArray(existing) ? existing : [existing];
+    list.push(`${returnToCookieName}=; Path=/; Max-Age=0; SameSite=Lax`);
+    reply.header("set-cookie", list);
+  }
+  reply.code(hr.status).send({ ...hr.body, returnTo });
+}
+function applyCallbackRedirect(reply, hr, requestOrigin, returnToCookieValue, cookieNames) {
+  const pushCookie = (value) => {
+    const existing = reply.getHeader?.("set-cookie") ?? [];
+    const list = Array.isArray(existing) ? existing : [existing];
+    list.push(value);
+    reply.header("set-cookie", list);
+  };
+  for (const c of hr.cookies) pushCookie(serializeCookie(c));
+  pushCookie(`${cookieNames.state}=; Path=/; Max-Age=0; SameSite=Lax`);
+  pushCookie(`${cookieNames.pkce}=; Path=/; Max-Age=0; SameSite=Lax`);
+  if (hr.status >= 400) {
+    reply.header("location", "/");
+    reply.code(302).send();
+    return;
+  }
+  const dest = sanitizeReturnTo(returnToCookieValue, {
+    currentOrigin: requestOrigin,
+    fallback: "/"
+  });
+  pushCookie(`${cookieNames.returnTo}=; Path=/; Max-Age=0; SameSite=Lax`);
+  reply.header("location", dest);
+  reply.code(302).send();
+}
+function requestOriginOf(req) {
+  const proto = req.headers?.["x-forwarded-proto"]?.split(",")[0]?.trim() || (typeof req.protocol === "string" ? req.protocol : void 0) || "https";
+  const host = req.headers?.["x-forwarded-host"]?.split(",")[0]?.trim() || req.headers?.host || "";
+  return host ? `${proto}://${host}` : "";
+}
 function readCookie(req, name) {
   if (req.cookies && typeof req.cookies[name] === "string") return req.cookies[name];
   const raw = req.headers?.cookie;
@@ -68,10 +124,12 @@ async function iqAuth(fastify, options) {
   } : void 0;
   const accessCookie = options.accessCookieName ?? "iqauth_at";
   const refreshCookie = options.refreshCookieName ?? "iqauth_rt";
+  const returnToCookie = options.returnToCookieName ?? "iqauth_return_to";
   const mount = (options.mountPath ?? "/api/iqauth").replace(/\/+$/, "");
   const mountHelpers = options.mountHelperRoutes !== false;
   const isPublic = (p) => {
     if (mountHelpers && p.startsWith(mount + "/")) return true;
+    if (options.mountUserinfo && p === `${mount}/me`) return true;
     if (Array.isArray(options.publicPaths)) return options.publicPaths.includes(p);
     if (typeof options.publicPaths === "function") return options.publicPaths(p);
     return false;
@@ -101,22 +159,54 @@ async function iqAuth(fastify, options) {
   if (mountHelpers) {
     fastify.post(`${mount}/callback`, async (req, reply) => {
       const body = req.body || {};
-      applyResponse(reply, await handleCallback(helperConfig, {
+      const hr = await handleCallback(helperConfig, {
         code: body.code,
         codeVerifier: body.codeVerifier,
-        redirectUri: body.redirectUri
-      }));
+        redirectUri: body.redirectUri,
+        // M-2: bind callback to this browser; handleCallback fails closed.
+        state: body.state,
+        expectedState: readCookie(req, helperConfig.stateCookieName ?? "iqauth_state")
+      });
+      applyCallbackResponse(reply, hr, requestOriginOf(req), readCookie(req, returnToCookie), returnToCookie);
+    });
+    fastify.get(`${mount}/callback`, async (req, reply) => {
+      const stateCookie = helperConfig.stateCookieName ?? "iqauth_state";
+      const q = req.query || {};
+      const origin = requestOriginOf(req);
+      const redirectUri = `${origin}${mount}/callback`;
+      const hr = await handleCallback(helperConfig, {
+        code: q.code,
+        codeVerifier: readCookie(req, PKCE_COOKIE),
+        redirectUri,
+        state: q.state,
+        expectedState: readCookie(req, stateCookie)
+      });
+      applyCallbackRedirect(reply, hr, origin, readCookie(req, returnToCookie), {
+        returnTo: returnToCookie,
+        state: stateCookie,
+        pkce: PKCE_COOKIE
+      });
     });
     fastify.post(`${mount}/refresh`, async (req, reply) => {
       const body = req.body || {};
       const refreshToken = body.refreshToken || readCookie(req, refreshCookie);
-      applyResponse(reply, await handleRefresh(helperConfig, { refreshToken }));
+      const idempotencyToken = req.headers?.["x-iqauth-idempotency"] || body.idempotencyToken;
+      applyResponse(reply, await handleRefresh(helperConfig, { refreshToken, idempotencyToken }));
     });
     fastify.post(`${mount}/signout`, async (req, reply) => {
       const auth = req.headers?.authorization;
       const accessToken = (typeof auth === "string" ? auth.replace(/^Bearer /i, "") : void 0) || readCookie(req, accessCookie);
+      const refreshToken = readCookie(req, refreshCookie);
       const ssoCookieHeader = typeof req.headers?.cookie === "string" ? req.headers.cookie : void 0;
-      applyResponse(reply, await handleSignout(helperConfig, { accessToken, ssoCookieHeader }));
+      const idempotencyToken = req.headers?.["x-iqauth-idempotency"];
+      applyResponse(reply, await handleSignout(helperConfig, { accessToken, refreshToken, idempotencyToken, ssoCookieHeader }));
+    });
+  }
+  if (options.mountUserinfo) {
+    fastify.get(`${mount}/me`, async (req, reply) => {
+      const auth = req.headers?.authorization;
+      const accessToken = (typeof auth === "string" ? auth.replace(/^Bearer /i, "") : void 0) || readCookie(req, accessCookie);
+      applyResponse(reply, await handleUserinfo(helperConfig, { accessToken, req }));
     });
   }
   fastify.decorate("iqauth", { client, issuer });

package/dist/hono.d.mts

@@ -1,4 +1,6 @@
 import { IQAuthHelperConfig } from './server/handlers.mjs';
+import './tokens-B06VtvUi.mjs';
+import './types-Bn8O-OEd.mjs';
 
 /**
  * @iqauth/sdk/hono — Hono adapter.
@@ -16,6 +18,14 @@ interface IQAuthHonoOptions extends IQAuthHelperConfig {
     mountPath?: string;
     mountHelperRoutes?: boolean;
     publicPaths?: string[] | ((path: string) => boolean);
+    /**
+     * Cookie name the browser SDK publishes the post-login destination into
+     * before redirect. The callback handler reads it, surfaces it as `returnTo`
+     * in the JSON response body after a successful exchange, and clears it on
+     * success. Mirrors the express inline-callback adapter. Defaults to
+     * `iqauth_return_to`.
+     */
+    returnToCookieName?: string;
 }
 declare function iqAuth(options: IQAuthHonoOptions): (c: any, next: () => Promise<void>) => Promise<any>;
 

package/dist/hono.d.ts

@@ -1,4 +1,6 @@
 import { IQAuthHelperConfig } from './server/handlers.js';
+import './tokens-9F6ETrzk.js';
+import './types-Bn8O-OEd.js';
 
 /**
  * @iqauth/sdk/hono — Hono adapter.
@@ -16,6 +18,14 @@ interface IQAuthHonoOptions extends IQAuthHelperConfig {
     mountPath?: string;
     mountHelperRoutes?: boolean;
     publicPaths?: string[] | ((path: string) => boolean);
+    /**
+     * Cookie name the browser SDK publishes the post-login destination into
+     * before redirect. The callback handler reads it, surfaces it as `returnTo`
+     * in the JSON response body after a successful exchange, and clears it on
+     * success. Mirrors the express inline-callback adapter. Defaults to
+     * `iqauth_return_to`.
+     */
+    returnToCookieName?: string;
 }
 declare function iqAuth(options: IQAuthHonoOptions): (c: any, next: () => Promise<void>) => Promise<any>;