npm - @iqauth/sdk - Versions diffs - 2.6.4 → 2.8.1 - Mend

@iqauth/sdk 2.6.4 → 2.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (117) hide show

package/README.md +173 -1
package/dist/browser-session.d.mts +4 -4
package/dist/browser-session.d.ts +4 -4
package/dist/browser-session.js +212 -46
package/dist/browser-session.mjs +3 -3
package/dist/browser.d.mts +5 -5
package/dist/browser.d.ts +5 -5
package/dist/browser.js +293 -34
package/dist/browser.mjs +5 -5
package/dist/{chunk-BVV54LPI.mjs → chunk-25SSYDIP.mjs} +10 -4
package/dist/{chunk-XAWYUPMO.mjs → chunk-4V7FKOTG.mjs} +242 -22
package/dist/{chunk-6I6RM4MN.mjs → chunk-6PJRLRB4.mjs} +33 -3
package/dist/{chunk-SL3KRS4W.mjs → chunk-CIJORODR.mjs} +23 -1
package/dist/{chunk-LIZYFXH7.mjs → chunk-DFWHSDYQ.mjs} +1 -1
package/dist/chunk-GLXSIGVS.mjs +66 -0
package/dist/{chunk-DJIBN2N7.mjs → chunk-GN37E64I.mjs} +29 -7
package/dist/{chunk-WQWBJSSS.mjs → chunk-HVHNYPDC.mjs} +6 -6
package/dist/chunk-JRDVUWAL.mjs +46 -0
package/dist/{chunk-UNYDG2L4.mjs → chunk-NUO2I65G.mjs} +56 -23
package/dist/{chunk-5T7GHBX6.mjs → chunk-TLET552H.mjs} +36 -0
package/dist/chunk-VYQ3ETCK.mjs +244 -0
package/dist/{chunk-3JULWS6F.mjs → chunk-WCELYTJ3.mjs} +3 -3
package/dist/chunk-WHT6WKTY.mjs +3180 -0
package/dist/{chunk-MKKZULZR.mjs → chunk-WIFG74IK.mjs} +1 -1
package/dist/chunk-WSH4SW7F.mjs +490 -0
package/dist/{chunk-W3F4JYGP.mjs → chunk-ZLJPABB7.mjs} +139 -23
package/dist/cli/index.js +2 -2
package/dist/cli/index.mjs +2 -2
package/dist/{client-BNQe3AgF.d.ts → client-D8L-PaWr.d.mts} +59 -6
package/dist/{client-kYlJFgPv.d.mts → client-DkPL0EPZ.d.ts} +59 -6
package/dist/{doctor-YYNHNMLD.mjs → doctor-JAFXWU3X.mjs} +2 -2
package/dist/errors-Jl1Jtm-6.d.mts +107 -0
package/dist/errors-Jl1Jtm-6.d.ts +107 -0
package/dist/{express-CHpfa7D_.d.ts → express-Budysq4h.d.ts} +2 -2
package/dist/{express-B6_1vBYZ.d.mts → express-DDTA3qV1.d.mts} +2 -2
package/dist/express.d.mts +7 -6
package/dist/express.d.ts +7 -6
package/dist/express.js +563 -85
package/dist/express.mjs +73 -34
package/dist/fastify.d.mts +10 -0
package/dist/fastify.d.ts +10 -0
package/dist/fastify.js +589 -65
package/dist/fastify.mjs +101 -11
package/dist/hono.d.mts +10 -0
package/dist/hono.d.ts +10 -0
package/dist/hono.js +566 -65
package/dist/hono.mjs +78 -11
package/dist/index-Cko-d5po.d.mts +1848 -0
package/dist/index-RNqwEcmY.d.ts +1848 -0
package/dist/index.d.mts +56 -8
package/dist/index.d.ts +56 -8
package/dist/index.js +694 -75
package/dist/index.mjs +30 -10
package/dist/{keys-NLWFAOEM.mjs → keys-6Y776TG2.mjs} +2 -2
package/dist/locales.d.mts +1 -1
package/dist/locales.d.ts +1 -1
package/dist/locales.js +36 -0
package/dist/locales.mjs +1 -1
package/dist/mobile.d.mts +77 -7
package/dist/mobile.d.ts +77 -7
package/dist/mobile.js +307 -46
package/dist/mobile.mjs +98 -3
package/dist/next.d.mts +10 -1
package/dist/next.d.ts +10 -1
package/dist/next.js +596 -205
package/dist/next.mjs +83 -10
package/dist/{provisioningBridge-88xjOS2n.d.mts → provisioningBridge-BXPMZCLe.d.ts} +30 -2
package/dist/{provisioningBridge-DnTfzdZK.d.ts → provisioningBridge-IEycmsgb.d.mts} +30 -2
package/dist/{publishableKey-BaR0HoAH.d.ts → publishableKey-f2kq-rKw.d.mts} +1 -1
package/dist/{publishableKey-BaR0HoAH.d.mts → publishableKey-f2kq-rKw.d.ts} +1 -1
package/dist/react-permissions.d.mts +52 -0
package/dist/react-permissions.d.ts +52 -0
package/dist/react-permissions.js +239 -0
package/dist/react-permissions.mjs +98 -0
package/dist/react.d.mts +9 -1624
package/dist/react.d.ts +9 -1624
package/dist/react.js +882 -73
package/dist/react.mjs +71 -2631
package/dist/{reverify-4UEJXUS6.mjs → reverify-C64QXKJO.mjs} +2 -2
package/dist/server/handlers.d.mts +200 -4
package/dist/server/handlers.d.ts +200 -4
package/dist/server/handlers.js +530 -16
package/dist/server/handlers.mjs +14 -3
package/dist/server.d.mts +171 -8
package/dist/server.d.ts +171 -8
package/dist/server.js +579 -61
package/dist/server.mjs +99 -12
package/dist/service.d.mts +4 -4
package/dist/service.d.ts +4 -4
package/dist/service.js +212 -46
package/dist/service.mjs +3 -3
package/dist/{signIn-CiIBTJIh.d.mts → signIn-CReqfXsh.d.mts} +95 -3
package/dist/{signIn-OCr88Zf8.d.ts → signIn-Cfa1GTpO.d.ts} +95 -3
package/dist/{signIn-4OKLDEIH.mjs → signIn-SHBW6Z4T.mjs} +1 -1
package/dist/test.mjs +3 -3
package/dist/{tokens-DCyzzn8L.d.mts → tokens-9F6ETrzk.d.ts} +9 -2
package/dist/{tokens-aHiGFr_E.d.ts → tokens-B06VtvUi.d.mts} +9 -2
package/dist/{types-DZAflmmq.d.mts → types-Bn8O-OEd.d.mts} +164 -11
package/dist/{types-DZAflmmq.d.ts → types-Bn8O-OEd.d.ts} +164 -11
package/dist/{types-6bNdxesb.d.ts → types-DnU2LhXR.d.mts} +7 -1
package/dist/{types-6bNdxesb.d.mts → types-DnU2LhXR.d.ts} +7 -1
package/dist/webhooks.d.mts +113 -17
package/dist/webhooks.d.ts +113 -17
package/dist/webhooks.js +179 -15
package/dist/webhooks.mjs +7 -1
package/dist/ws.d.mts +2 -2
package/dist/ws.d.ts +2 -2
package/dist/ws.js +80 -30
package/dist/ws.mjs +4 -4
package/docs/error-handling.md +101 -0
package/docs/guides/effective-permissions.md +171 -0
package/docs/guides/invitations.md +65 -0
package/package.json +19 -4
package/dist/chunk-6TDJJER7.mjs +0 -217
package/dist/chunk-UKZLOHZG.mjs +0 -83
package/dist/errors-CDdl24MP.d.mts +0 -52
package/dist/errors-CDdl24MP.d.ts +0 -52

package/dist/hono.mjs CHANGED Viewed

@@ -1,29 +1,37 @@
+import {
+  sanitizeReturnTo
+} from "./chunk-JRDVUWAL.mjs";
 import {
   handleCallback,
   handleRefresh,
   handleSignout,
+  handleUserinfo,
   serializeCookie
-} from "./chunk-6TDJJER7.mjs";
+} from "./chunk-WSH4SW7F.mjs";
 import {
   assertPublishableKey
-} from "./chunk-WQWBJSSS.mjs";
+} from "./chunk-HVHNYPDC.mjs";
 import {
   IQAuthClient
-} from "./chunk-W3F4JYGP.mjs";
-import "./chunk-UNYDG2L4.mjs";
+} from "./chunk-ZLJPABB7.mjs";
+import "./chunk-NUO2I65G.mjs";
 import {
   IQAuthError
-} from "./chunk-6I6RM4MN.mjs";
+} from "./chunk-6PJRLRB4.mjs";
 import "./chunk-Y6FXYEAI.mjs";
 // src/hono.ts
+var PKCE_COOKIE = "iqauth_pkce";
 var KNOWN_AUTH_ERRORS = /* @__PURE__ */ new Set([
   "TOKEN_INVALID",
   "TOKEN_EXPIRED",
   "TOKEN_REVOKED",
   "SESSION_EXPIRED",
   "SESSION_INVALID",
-  "AUTH_REQUIRED"
+  "AUTH_REQUIRED",
+  // Task #127 — typed `IQAuthErrorCode` taxonomy.
+  "token_invalid",
+  "token_expired"
 ]);
 function readCookieFromHeader(header, name) {
   if (!header) return void 0;
@@ -45,6 +53,36 @@ function honoResponse(hr) {
   for (const c of hr.cookies) headers.append("set-cookie", serializeCookie(c));
   return new Response(JSON.stringify(hr.body), { status: hr.status, headers });
 }
+function honoCallbackResponse(hr, requestOrigin, returnToCookieValue, returnToCookieName) {
+  const returnTo = sanitizeReturnTo(
+    returnToCookieValue || hr.body?.returnTo,
+    { currentOrigin: requestOrigin, fallback: "/" }
+  );
+  const headers = new Headers({ "Content-Type": "application/json" });
+  for (const c of hr.cookies) headers.append("set-cookie", serializeCookie(c));
+  if (hr.status < 400) {
+    headers.append("set-cookie", `${returnToCookieName}=; Path=/; Max-Age=0; SameSite=Lax`);
+  }
+  const body = { ...hr.body, returnTo };
+  return new Response(JSON.stringify(body), { status: hr.status, headers });
+}
+function honoCallbackRedirect(hr, requestOrigin, returnToCookieValue, cookieNames) {
+  const headers = new Headers();
+  for (const c of hr.cookies) headers.append("set-cookie", serializeCookie(c));
+  headers.append("set-cookie", `${cookieNames.state}=; Path=/; Max-Age=0; SameSite=Lax`);
+  headers.append("set-cookie", `${cookieNames.pkce}=; Path=/; Max-Age=0; SameSite=Lax`);
+  if (hr.status >= 400) {
+    headers.set("location", "/");
+    return new Response(null, { status: 302, headers });
+  }
+  const dest = sanitizeReturnTo(returnToCookieValue, {
+    currentOrigin: requestOrigin,
+    fallback: "/"
+  });
+  headers.append("set-cookie", `${cookieNames.returnTo}=; Path=/; Max-Age=0; SameSite=Lax`);
+  headers.set("location", dest);
+  return new Response(null, { status: 302, headers });
+}
 function iqAuth(options) {
   const parsed = assertPublishableKey(options.publishableKey, { context: "@iqauth/sdk/hono" });
   const issuer = (options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
@@ -52,6 +90,7 @@ function iqAuth(options) {
   const client = new IQAuthClient({ baseUrl: issuer, environment: "server" });
   const accessCookie = options.accessCookieName ?? "iqauth_at";
   const refreshCookie = options.refreshCookieName ?? "iqauth_rt";
+  const returnToCookie = options.returnToCookieName ?? "iqauth_return_to";
   const mount = (options.mountPath ?? "/api/iqauth").replace(/\/+$/, "");
   const mountHelpers = options.mountHelperRoutes !== false;
   const isPublic = (p) => {
@@ -62,24 +101,52 @@ function iqAuth(options) {
   return async (c, next) => {
     const url = new URL(c.req.url);
     const path = url.pathname;
+    if (options.mountUserinfo && path === `${mount}/me` && c.req.method === "GET") {
+      const auth2 = c.req.header("authorization");
+      const accessToken = auth2 && auth2.replace(/^Bearer /i, "") || readCookieFromHeader(c.req.header("cookie"), accessCookie);
+      return honoResponse(await handleUserinfo(helperConfig, { accessToken, req: c.req }));
+    }
+    if (mountHelpers && path === `${mount}/callback` && c.req.method === "GET") {
+      const cookieHeader = c.req.header("cookie");
+      const stateCookie = helperConfig.stateCookieName ?? "iqauth_state";
+      const hr = await handleCallback(helperConfig, {
+        code: url.searchParams.get("code") ?? void 0,
+        codeVerifier: readCookieFromHeader(cookieHeader, PKCE_COOKIE),
+        redirectUri: `${url.origin}${url.pathname}`,
+        state: url.searchParams.get("state") ?? void 0,
+        expectedState: readCookieFromHeader(cookieHeader, stateCookie)
+      });
+      return honoCallbackRedirect(hr, url.origin, readCookieFromHeader(cookieHeader, returnToCookie), {
+        returnTo: returnToCookie,
+        state: stateCookie,
+        pkce: PKCE_COOKIE
+      });
+    }
     if (mountHelpers && path.startsWith(mount + "/") && c.req.method === "POST") {
       const body = await c.req.json().catch(() => ({}));
       const cookieHeader = c.req.header("cookie");
       if (path === `${mount}/callback`) {
-        return honoResponse(await handleCallback(helperConfig, {
+        const hr = await handleCallback(helperConfig, {
           code: body.code,
           codeVerifier: body.codeVerifier,
-          redirectUri: body.redirectUri
-        }));
+          redirectUri: body.redirectUri,
+          // M-2: bind callback to this browser; handleCallback fails closed.
+          state: body.state,
+          expectedState: readCookieFromHeader(cookieHeader, helperConfig.stateCookieName ?? "iqauth_state")
+        });
+        return honoCallbackResponse(hr, url.origin, readCookieFromHeader(cookieHeader, returnToCookie), returnToCookie);
       }
       if (path === `${mount}/refresh`) {
         const refreshToken = body.refreshToken || readCookieFromHeader(cookieHeader, refreshCookie);
-        return honoResponse(await handleRefresh(helperConfig, { refreshToken }));
+        const idempotencyToken = c.req.header("x-iqauth-idempotency") || body.idempotencyToken;
+        return honoResponse(await handleRefresh(helperConfig, { refreshToken, idempotencyToken }));
       }
       if (path === `${mount}/signout`) {
         const auth2 = c.req.header("authorization");
         const accessToken = auth2 && auth2.replace(/^Bearer /i, "") || readCookieFromHeader(cookieHeader, accessCookie);
-        return honoResponse(await handleSignout(helperConfig, { accessToken, ssoCookieHeader: cookieHeader }));
+        const refreshToken = readCookieFromHeader(cookieHeader, refreshCookie);
+        const idempotencyToken = c.req.header("x-iqauth-idempotency");
+        return honoResponse(await handleSignout(helperConfig, { accessToken, refreshToken, idempotencyToken, ssoCookieHeader: cookieHeader }));
       }
     }
     if (isPublic(path)) return next();