@iqauth/sdk 2.6.4 → 2.8.1

package/dist/{chunk-MKKZULZR.mjs → chunk-WIFG74IK.mjs}

@@ -1,6 +1,6 @@
 import {
   encodePublishableKey
-} from "./chunk-WQWBJSSS.mjs";
+} from "./chunk-HVHNYPDC.mjs";
 
 // src/test.ts
 import { createServer } from "http";

package/dist/chunk-WSH4SW7F.mjs

@@ -0,0 +1,490 @@
+import {
+  assertPublishableKey
+} from "./chunk-HVHNYPDC.mjs";
+import {
+  TokensModule
+} from "./chunk-NUO2I65G.mjs";
+import {
+  IQAuthError
+} from "./chunk-6PJRLRB4.mjs";
+
+// src/server/handlers.ts
+async function buildUserinfoResponse(claims, opts = {}) {
+  const baseUser = {
+    sub: claims.sub,
+    email: claims.email,
+    name: claims.name,
+    tenantId: claims.tenantId,
+    vendorId: claims.vendorId,
+    roles: claims.roles ?? [],
+    entitlements: claims.entitlements ?? [],
+    // Task #171 — project the active source/client scope onto the userinfo
+    // payload so server handlers (`getSessionUser`, `/api/iqauth/userinfo`)
+    // expose it without consumers having to re-decode the JWT.
+    ...claims.scopeContext !== void 0 ? { scopeContext: claims.scopeContext } : {}
+  };
+  const enriched = opts.enrich ? await opts.enrich(claims) : null;
+  const user = enriched ? { ...baseUser, ...enriched } : baseUser;
+  return {
+    success: true,
+    data: {
+      user,
+      claims,
+      tenantId: claims.tenantId ?? null
+    }
+  };
+}
+function emitTiming(cfg, event) {
+  if (cfg.debug) {
+    try {
+      console.debug("[iqauth_helper]", event);
+    } catch {
+    }
+  }
+  if (cfg.onTimingEvent) {
+    try {
+      cfg.onTimingEvent(event);
+    } catch {
+    }
+  }
+}
+var TERMINAL_REFRESH_ERROR_CODES = /* @__PURE__ */ new Set([
+  "TOKEN_REVOKED",
+  "SESSION_REVOKED",
+  "INVALID_GRANT",
+  "invalid_grant",
+  "USER_DEACTIVATED",
+  "USER_DISABLED",
+  "TENANT_SUSPENDED"
+]);
+function shouldClearCookiesOnFailure(policy, status, errorCode) {
+  if (policy === "always") return true;
+  if (policy === "never") return false;
+  if (status === 410) return true;
+  if (errorCode && TERMINAL_REFRESH_ERROR_CODES.has(errorCode)) return true;
+  return false;
+}
+var ACCESS_TOKEN_TTL_SECONDS = 60 * 15;
+var REFRESH_TOKEN_TTL_SECONDS = 60 * 60 * 24 * 30;
+function assertCookiePrefixInvariants(name, secure, path, domain) {
+  if (name.startsWith("__Host-")) {
+    if (!secure) {
+      throw new IQAuthError(
+        "config_invalid",
+        `Cookie "${name}" uses the __Host- prefix, which browsers only accept on a Secure cookie. Set secure:true (and serve over HTTPS).`
+      );
+    }
+    if (path !== "/") {
+      throw new IQAuthError(
+        "config_invalid",
+        `Cookie "${name}" uses the __Host- prefix, which requires Path=/ (got "${path}"). Remove cookiePath or set it to "/".`
+      );
+    }
+    if (domain) {
+      throw new IQAuthError(
+        "config_invalid",
+        `Cookie "${name}" uses the __Host- prefix, which forbids a Domain attribute (the cookie is host-locked). Remove cookieDomain.`
+      );
+    }
+  } else if (name.startsWith("__Secure-") && !secure) {
+    throw new IQAuthError(
+      "config_invalid",
+      `Cookie "${name}" uses the __Secure- prefix, which browsers only accept on a Secure cookie. Set secure:true (and serve over HTTPS).`
+    );
+  }
+}
+function resolve(config) {
+  const parsed = assertPublishableKey(config.publishableKey, { context: "@iqauth/sdk helpers" });
+  const inferredIssuer = parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`;
+  maybeWarnDefaultSignoutRegistry(config);
+  const secure = config.secure ?? true;
+  if (config.secure === false && config.allowInsecureCookies !== true) {
+    throw new IQAuthError(
+      "config_invalid",
+      "Refusing to issue auth cookies with secure:false \u2014 this exposes session cookies over plaintext HTTP. For local HTTP development, set allowInsecureCookies:true to acknowledge the risk. Production MUST use HTTPS with secure cookies."
+    );
+  }
+  const accessCookieName = config.accessCookieName ?? config.cookieNames?.access ?? "iqauth_at";
+  const refreshCookieName = config.refreshCookieName ?? config.cookieNames?.refresh ?? "iqauth_rt";
+  const stateCookieName = config.stateCookieName ?? "iqauth_state";
+  const cookiePath = config.cookiePath ?? "/";
+  const cookieDomain = config.cookieDomain;
+  for (const name of [accessCookieName, refreshCookieName, stateCookieName]) {
+    assertCookiePrefixInvariants(name, secure, cookiePath, cookieDomain);
+  }
+  return {
+    publishableKey: config.publishableKey,
+    secretKey: config.secretKey,
+    issuer: (config.issuer ?? inferredIssuer).replace(/\/+$/, ""),
+    accessCookieName,
+    refreshCookieName,
+    cookieDomain,
+    sameSite: config.sameSite ?? "lax",
+    secure,
+    cookiePath,
+    tokenPath: config.tokenPath ?? "/oidc/token",
+    refreshPath: config.refreshPath ?? "/api/v1/auth/refresh",
+    logoutPath: config.logoutPath ?? "/api/v1/auth/logout",
+    fetchImpl: config.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : (() => {
+      throw new Error("global fetch is unavailable; pass fetchImpl");
+    })),
+    appId: parsed.appId,
+    tenantId: parsed.tenantId,
+    clearCookiesOnRefreshFailure: config.clearCookiesOnRefreshFailure ?? "terminal-only",
+    debug: config.debug,
+    onTimingEvent: config.onTimingEvent,
+    signoutRegistry: config.signoutRegistry ?? defaultSignoutRegistry,
+    signoutMarkerTtlMs: config.signoutMarkerTtlMs ?? DEFAULT_SIGNOUT_TTL_MS,
+    requireOAuthState: config.requireOAuthState ?? true,
+    stateCookieName: config.stateCookieName ?? "iqauth_state"
+  };
+}
+function timingSafeEqualStr(a, b) {
+  const len = Math.max(a.length, b.length);
+  let diff = a.length ^ b.length;
+  for (let i = 0; i < len; i++) {
+    diff |= (a.charCodeAt(i) || 0) ^ (b.charCodeAt(i) || 0);
+  }
+  return diff === 0;
+}
+function makeCookie(cfg, name, value, maxAge, httpOnly = true) {
+  return {
+    name,
+    value,
+    maxAge,
+    httpOnly,
+    secure: cfg.secure,
+    sameSite: cfg.sameSite,
+    path: cfg.cookiePath,
+    domain: cfg.cookieDomain
+  };
+}
+function clearCookies(cfg) {
+  return [
+    { ...makeCookie(cfg, cfg.accessCookieName, "", 0), clear: true },
+    { ...makeCookie(cfg, cfg.refreshCookieName, "", 0), clear: true }
+  ];
+}
+function clearStateCookie(cfg) {
+  return { ...makeCookie(cfg, cfg.stateCookieName, "", 0, false), clear: true };
+}
+var DEFAULT_SIGNOUT_TTL_MS = 6e4;
+var inMemorySignoutMarkers = /* @__PURE__ */ new Map();
+function pruneInMemoryMarkers(now) {
+  if (inMemorySignoutMarkers.size === 0) return;
+  for (const [k, exp] of inMemorySignoutMarkers) {
+    if (exp <= now) inMemorySignoutMarkers.delete(k);
+  }
+}
+var defaultSignoutRegistry = {
+  mark(token, ttlMs) {
+    const now = Date.now();
+    pruneInMemoryMarkers(now);
+    inMemorySignoutMarkers.set(token, now + ttlMs);
+  },
+  has(token) {
+    const now = Date.now();
+    const exp = inMemorySignoutMarkers.get(token);
+    if (!exp) return false;
+    if (exp <= now) {
+      inMemorySignoutMarkers.delete(token);
+      return false;
+    }
+    return true;
+  }
+};
+var warnedDefaultSignoutRegistry = false;
+function maybeWarnDefaultSignoutRegistry(config) {
+  if (warnedDefaultSignoutRegistry) return;
+  if (config.signoutRegistry) return;
+  warnedDefaultSignoutRegistry = true;
+  console.warn(
+    "[IQAuth] Using the in-memory signout registry (process-local). Signout idempotency is NOT shared across instances \u2014 in a multi-replica deployment a /refresh racing a /signout on another replica can reissue cookies after sign-out. Plug a shared backend (e.g. Redis) into IQAuthHelperConfig.signoutRegistry to fix this and silence this warning."
+  );
+}
+function __resetSignoutMarkersForTests() {
+  inMemorySignoutMarkers.clear();
+}
+function __resetSignoutRegistryWarningForTests() {
+  warnedDefaultSignoutRegistry = false;
+}
+function createInMemorySignoutRegistry() {
+  const store = /* @__PURE__ */ new Map();
+  return {
+    mark(token, ttlMs) {
+      const now = Date.now();
+      for (const [k, exp] of store) if (exp <= now) store.delete(k);
+      store.set(token, now + ttlMs);
+    },
+    has(token) {
+      const now = Date.now();
+      const exp = store.get(token);
+      if (!exp) return false;
+      if (exp <= now) {
+        store.delete(token);
+        return false;
+      }
+      return true;
+    }
+  };
+}
+function serializeCookie(d) {
+  const parts = [`${d.name}=${encodeURIComponent(d.value)}`];
+  parts.push(`Path=${d.path}`);
+  if (d.domain) parts.push(`Domain=${d.domain}`);
+  parts.push(`Max-Age=${d.maxAge}`);
+  if (d.clear) parts.push("Expires=Thu, 01 Jan 1970 00:00:00 GMT");
+  if (d.secure) parts.push("Secure");
+  if (d.httpOnly) parts.push("HttpOnly");
+  parts.push(`SameSite=${d.sameSite}`);
+  return parts.join("; ");
+}
+async function handleCallback(config, input) {
+  const cfg = resolve(config);
+  const t0 = Date.now();
+  if (!input.code || !input.redirectUri) {
+    emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: false, code: "VALIDATION_ERROR" });
+    return {
+      status: 400,
+      body: { success: false, error: { code: "VALIDATION_ERROR", message: "code and redirectUri are required" } },
+      cookies: []
+    };
+  }
+  const provided = input.state;
+  const expected = input.expectedState;
+  const stateOk = cfg.requireOAuthState ? !!expected && !!provided && timingSafeEqualStr(provided, expected) : !expected || !!provided && timingSafeEqualStr(provided, expected);
+  if (!stateOk) {
+    emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: false, code: "STATE_MISMATCH" });
+    return {
+      status: 400,
+      body: {
+        success: false,
+        error: {
+          code: "STATE_MISMATCH",
+          message: "OAuth state validation failed; the sign-in could not be verified as originating from this browser."
+        }
+      },
+      cookies: [clearStateCookie(cfg)]
+    };
+  }
+  if (!cfg.secretKey) {
+    emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: false, code: "INTERNAL_ERROR" });
+    return {
+      status: 500,
+      body: { success: false, error: { code: "INTERNAL_ERROR", message: "secretKey is required for the callback handler" } },
+      cookies: []
+    };
+  }
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code: input.code,
+    redirect_uri: input.redirectUri,
+    client_id: cfg.appId
+  });
+  if (input.codeVerifier) body.set("code_verifier", input.codeVerifier);
+  const res = await cfg.fetchImpl(`${cfg.issuer}${cfg.tokenPath}`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Authorization: `Basic ${typeof btoa === "function" ? btoa(`${cfg.appId}:${cfg.secretKey}`) : Buffer.from(`${cfg.appId}:${cfg.secretKey}`).toString("base64")}`
+    },
+    body: body.toString()
+  });
+  const json = await res.json().catch(() => ({}));
+  if (!res.ok || !json.access_token) {
+    emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: false, code: json.error || "OIDC_EXCHANGE_FAILED" });
+    return {
+      status: res.status || 502,
+      body: {
+        success: false,
+        error: {
+          code: json.error || "OIDC_EXCHANGE_FAILED",
+          message: json.error_description || "Authorization code exchange failed"
+        }
+      },
+      cookies: []
+    };
+  }
+  try {
+    await getTokensFor(cfg.issuer).verify(json.access_token, {
+      issuer: cfg.issuer,
+      ...config.verify
+    });
+  } catch (err) {
+    const code = err instanceof IQAuthError ? err.code : err.code || "TOKEN_INVALID";
+    emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: false, code });
+    return {
+      status: 502,
+      body: {
+        success: false,
+        error: {
+          code: "ACCESS_TOKEN_VERIFICATION_FAILED",
+          message: "The issuer returned an access token that failed verification; no session was established."
+        }
+      },
+      cookies: []
+    };
+  }
+  const cookies = [];
+  cookies.push(
+    makeCookie(cfg, cfg.accessCookieName, json.access_token, json.expires_in ?? ACCESS_TOKEN_TTL_SECONDS)
+  );
+  if (json.refresh_token) {
+    cookies.push(makeCookie(cfg, cfg.refreshCookieName, json.refresh_token, REFRESH_TOKEN_TTL_SECONDS));
+  }
+  cookies.push(clearStateCookie(cfg));
+  emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: true });
+  return {
+    status: 200,
+    body: { success: true, data: { authenticated: true } },
+    cookies
+  };
+}
+async function handleRefresh(config, input) {
+  const cfg = resolve(config);
+  const t0 = Date.now();
+  const refreshToken = input.refreshToken;
+  const idemKey = input.idempotencyToken;
+  if (idemKey && await Promise.resolve(cfg.signoutRegistry.has(idemKey))) {
+    return {
+      status: 401,
+      body: { success: false, error: { code: "SESSION_REVOKED", message: "Session was signed out" } },
+      cookies: clearCookies(cfg)
+    };
+  }
+  if (!refreshToken) {
+    emitTiming(cfg, { phase: "refresh", durationMs: Date.now() - t0, ok: false, code: "TOKEN_INVALID" });
+    return {
+      status: 401,
+      body: { success: false, error: { code: "TOKEN_INVALID", message: "Missing refresh token" } },
+      cookies: cfg.clearCookiesOnRefreshFailure === "always" ? clearCookies(cfg) : []
+    };
+  }
+  const res = await cfg.fetchImpl(`${cfg.issuer}${cfg.refreshPath}`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ refreshToken })
+  });
+  const json = await res.json().catch(() => ({}));
+  if (!res.ok || !json.success || !json.data?.accessToken) {
+    const status = res.status || 401;
+    const errorCode = json.error?.code || "TOKEN_INVALID";
+    emitTiming(cfg, { phase: "refresh", durationMs: Date.now() - t0, ok: false, code: errorCode });
+    const shouldClear = shouldClearCookiesOnFailure(
+      cfg.clearCookiesOnRefreshFailure,
+      status,
+      errorCode
+    );
+    return {
+      status,
+      body: {
+        success: false,
+        error: {
+          code: errorCode,
+          message: json.error?.message || "Refresh failed"
+        }
+      },
+      cookies: shouldClear ? clearCookies(cfg) : []
+    };
+  }
+  const cookies = [
+    makeCookie(cfg, cfg.accessCookieName, json.data.accessToken, ACCESS_TOKEN_TTL_SECONDS)
+  ];
+  if (json.data.refreshToken) {
+    cookies.push(makeCookie(cfg, cfg.refreshCookieName, json.data.refreshToken, REFRESH_TOKEN_TTL_SECONDS));
+  }
+  emitTiming(cfg, { phase: "refresh", durationMs: Date.now() - t0, ok: true });
+  return {
+    status: 200,
+    body: { success: true, data: { accessToken: json.data.accessToken } },
+    cookies
+  };
+}
+async function handleSignout(config, input) {
+  const cfg = resolve(config);
+  const t0 = Date.now();
+  if (input.idempotencyToken) {
+    await Promise.resolve(cfg.signoutRegistry.mark(input.idempotencyToken, cfg.signoutMarkerTtlMs));
+  }
+  if (input.accessToken) {
+    try {
+      await cfg.fetchImpl(`${cfg.issuer}${cfg.logoutPath}`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${input.accessToken}`
+        }
+      });
+    } catch {
+    }
+  }
+  if (input.endSsoSession !== false && input.ssoCookieHeader) {
+    try {
+      await cfg.fetchImpl(`${cfg.issuer}/oidc/sso-logout`, {
+        method: "POST",
+        headers: { Cookie: input.ssoCookieHeader }
+      });
+    } catch {
+    }
+  }
+  emitTiming(cfg, { phase: "signout", durationMs: Date.now() - t0, ok: true });
+  return {
+    status: 200,
+    body: { success: true, data: { signedOut: true } },
+    cookies: clearCookies(cfg)
+  };
+}
+var TOKENS_CACHE = /* @__PURE__ */ new Map();
+function getTokensFor(issuer) {
+  let m = TOKENS_CACHE.get(issuer);
+  if (!m) {
+    m = new TokensModule(issuer);
+    TOKENS_CACHE.set(issuer, m);
+  }
+  return m;
+}
+async function handleUserinfo(config, input) {
+  const cfg = resolve(config);
+  if (!input.accessToken) {
+    return {
+      status: 401,
+      body: { success: false, error: { code: "TOKEN_INVALID", message: "Missing access token" } },
+      cookies: []
+    };
+  }
+  let claims;
+  try {
+    claims = await getTokensFor(cfg.issuer).verify(input.accessToken, {
+      issuer: cfg.issuer,
+      ...config.verify
+    });
+  } catch (err) {
+    const code = err instanceof IQAuthError ? err.code : err.code || "TOKEN_INVALID";
+    const message = err instanceof Error ? err.message : "Access token verification failed";
+    return {
+      status: 401,
+      body: { success: false, error: { code, message } },
+      cookies: []
+    };
+  }
+  const envelope = await buildUserinfoResponse(claims, {
+    enrich: config.userinfoEnricher ? (c) => config.userinfoEnricher(c, input.req) : void 0
+  });
+  return {
+    status: 200,
+    body: envelope,
+    cookies: []
+  };
+}
+
+export {
+  buildUserinfoResponse,
+  __resetSignoutMarkersForTests,
+  __resetSignoutRegistryWarningForTests,
+  createInMemorySignoutRegistry,
+  serializeCookie,
+  handleCallback,
+  handleRefresh,
+  handleSignout,
+  handleUserinfo
+};