@jazzmind/busibox-app 3.0.18 → 3.0.20

package/dist/lib/auth/sso-route-handler.d.ts

@@ -1,114 +0,0 @@
-/**
- * Shared SSO Route Handler
- *
- * Provides reusable handlers for SSO token exchange in Busibox apps.
- * Use these handlers in your app's /api/sso/route.ts to avoid code duplication.
- *
- * @example
- * ```typescript
- * // app/api/sso/route.ts
- * import { handleSSOGet, handleSSOPost } from '@jazzmind/busibox-app/lib/auth';
- *
- * export const GET = handleSSOGet;
- * export const POST = handleSSOPost;
- * ```
- */
-/**
- * Request interface compatible with Next.js NextRequest
- */
-interface NextRequestLike {
-    json(): Promise<{
-        token?: string;
-    }>;
-    nextUrl: {
-        searchParams: {
-            get(name: string): string | null;
-        };
-    };
-    url: string;
-}
-/**
- * Response instance interface - what a response object looks like
- */
-interface ResponseInstance {
-    cookies: {
-        set(name: string, value: string, options?: {
-            httpOnly?: boolean;
-            secure?: boolean;
-            sameSite?: 'strict' | 'lax' | 'none';
-            maxAge?: number;
-            path?: string;
-        }): void;
-    };
-}
-/**
- * Options for SSO handlers
- */
-export interface SSOHandlerOptions {
-    /** Override app name (default: process.env.APP_NAME or 'app') */
-    appName?: string;
-    /** Override base path (default: process.env.NEXT_PUBLIC_BASE_PATH or '/') */
-    basePath?: string;
-    /** Default fallback app name if APP_NAME not set */
-    defaultAppName?: string;
-    /** Enable verbose logging */
-    verbose?: boolean;
-    /**
-     * Override auth token cookie maxAge in seconds.
-     * Default: 21600 (6 hours).
-     * Also reads SSO_COOKIE_MAX_AGE env var.
-     * Useful for testing token refresh with shorter expiry.
-     */
-    authTokenMaxAge?: number;
-}
-/**
- * Result of SSO POST handler
- */
-export interface SSOPostResult {
-    success: boolean;
-    user?: {
-        id: string;
-        email: string;
-        roles: string[];
-        displayName?: string;
-        firstName?: string;
-        lastName?: string;
-        avatarUrl?: string;
-        favoriteColor?: string;
-    };
-    error?: string;
-    details?: string;
-}
-/**
- * Handle SSO GET request (redirect-based flow)
- *
- * This handler validates the token from URL query params and redirects
- * back to the app with session cookies set.
- *
- * @param request - Next.js NextRequest
- * @param NextResponse - Next.js NextResponse class
- * @param options - Optional configuration
- * @returns NextResponse redirect with cookies set
- */
-export declare function createSSOGetHandler<T extends ResponseInstance>(NextResponse: {
-    redirect(url: URL): T;
-}, options?: SSOHandlerOptions): (request: NextRequestLike) => Promise<T>;
-/**
- * Handle SSO POST request (API-based flow)
- *
- * This handler validates the token from the request body and returns
- * a JSON response with session cookies set. This is the preferred method
- * as browsers properly process Set-Cookie headers from JSON responses.
- *
- * @param request - Next.js NextRequest
- * @param NextResponse - Next.js NextResponse class
- * @param options - Optional configuration
- * @returns NextResponse with JSON body and cookies set
- */
-export declare function createSSOPostHandler<T extends ResponseInstance>(NextResponse: {
-    json(body: unknown, init?: {
-        status?: number;
-    }): T;
-}, options?: SSOHandlerOptions): (request: NextRequestLike) => Promise<T>;
-export {};
-//# sourceMappingURL=sso-route-handler.d.ts.map

package/dist/lib/auth/sso-route-handler.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"sso-route-handler.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/sso-route-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAKH;;GAEG;AACH,UAAU,eAAe;IACvB,IAAI,IAAI,OAAO,CAAC;QAAE,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACpC,OAAO,EAAE;QACP,YAAY,EAAE;YACZ,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;SAClC,CAAC;KACH,CAAC;IACF,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,UAAU,gBAAgB;IACxB,OAAO,EAAE;QACP,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;YACzC,QAAQ,CAAC,EAAE,OAAO,CAAC;YACnB,MAAM,CAAC,EAAE,OAAO,CAAC;YACjB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;YACrC,MAAM,CAAC,EAAE,MAAM,CAAC;YAChB,IAAI,CAAC,EAAE,MAAM,CAAC;SACf,GAAG,IAAI,CAAC;KACV,CAAC;CACH;AAUD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,iEAAiE;IACjE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oDAAoD;IACpD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,6BAA6B;IAC7B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB;;;;;OAKG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE;QACL,EAAE,EAAE,MAAM,CAAC;QACX,KAAK,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,CAAC;IACF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAkCD;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,SAAS,gBAAgB,EAC5D,YAAY,EAAE;IAAE,QAAQ,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,CAAA;CAAE,EACvC,OAAO,CAAC,EAAE,iBAAiB,GAC1B,CAAC,OAAO,EAAE,eAAe,KAAK,OAAO,CAAC,CAAC,CAAC,CA8E1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,oBAAoB,CAAC,CAAC,SAAS,gBAAgB,EAC7D,YAAY,EAAE;IAAE,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,CAAC,CAAA;CAAE,EACpE,OAAO,CAAC,EAAE,iBAAiB,GAC1B,CAAC,OAAO,EAAE,eAAe,KAAK,OAAO,CAAC,CAAC,CAAC,CA+F1C"}

package/dist/lib/auth/sso-route-handler.js

@@ -1,199 +0,0 @@
-/**
- * Shared SSO Route Handler
- *
- * Provides reusable handlers for SSO token exchange in Busibox apps.
- * Use these handlers in your app's /api/sso/route.ts to avoid code duplication.
- *
- * @example
- * ```typescript
- * // app/api/sso/route.ts
- * import { handleSSOGet, handleSSOPost } from '@jazzmind/busibox-app/lib/auth';
- *
- * export const GET = handleSSOGet;
- * export const POST = handleSSOPost;
- * ```
- */
-import { validateSSOToken, createSessionFromSSO } from './sso';
-import { sanitizeAppName } from './auth-helper';
-/**
- * Get cookie configuration for SSO
- */
-function getCookieConfig(options) {
-    const rawAppName = options?.appName || process.env.APP_NAME || options?.defaultAppName || 'app';
-    const appName = sanitizeAppName(rawAppName);
-    const basePath = options?.basePath || process.env.NEXT_PUBLIC_BASE_PATH || '/';
-    // Auth token cookie maxAge: option > env var > default 6 hours
-    const envMaxAge = process.env.SSO_COOKIE_MAX_AGE ? parseInt(process.env.SSO_COOKIE_MAX_AGE, 10) : null;
-    const authTokenMaxAge = options?.authTokenMaxAge || envMaxAge || 60 * 60 * 6;
-    return {
-        sessionCookieName: `${appName}-session`,
-        authCookieName: `${appName}-auth-token`,
-        basePath,
-        isProduction: process.env.NODE_ENV === 'production',
-        authTokenMaxAge,
-    };
-}
-/**
- * Handle SSO GET request (redirect-based flow)
- *
- * This handler validates the token from URL query params and redirects
- * back to the app with session cookies set.
- *
- * @param request - Next.js NextRequest
- * @param NextResponse - Next.js NextResponse class
- * @param options - Optional configuration
- * @returns NextResponse redirect with cookies set
- */
-export function createSSOGetHandler(NextResponse, options) {
-    return async function handleSSOGet(request) {
-        const searchParams = request.nextUrl.searchParams;
-        const token = searchParams.get('token');
-        const returnUrl = searchParams.get('return') || '/';
-        const verbose = options?.verbose ?? false;
-        if (!token) {
-            console.error('[SSO] No token provided');
-            return NextResponse.redirect(new URL('/login?error=no_token', request.url));
-        }
-        try {
-            // Get app name for both validation and cookies
-            const rawAppName = options?.appName || process.env.APP_NAME || options?.defaultAppName || 'app';
-            const config = getCookieConfig(options);
-            // Validate token with the expected audience (app name)
-            const validation = await validateSSOToken(token, { appName: rawAppName });
-            if (!validation.valid) {
-                console.error('[SSO] Token validation failed:', validation.error);
-                return NextResponse.redirect(new URL(`/login?error=${validation.error}`, request.url));
-            }
-            const session = createSessionFromSSO(validation);
-            // Build redirect URL - avoid double basePath
-            let redirectUrl;
-            if (!returnUrl.startsWith('/')) {
-                // Absolute URL, use as-is
-                redirectUrl = returnUrl;
-            }
-            else if (config.basePath && config.basePath !== '/' && returnUrl.startsWith(config.basePath)) {
-                // returnUrl already includes basePath, use as-is
-                redirectUrl = returnUrl;
-            }
-            else {
-                // Prepend basePath to relative URL
-                redirectUrl = `${config.basePath}${returnUrl}`;
-            }
-            const response = NextResponse.redirect(new URL(redirectUrl, request.url));
-            if (verbose) {
-                console.log(`[SSO] GET: Setting cookies for app, path: ${config.basePath}`);
-                console.log(`[SSO]   - ${config.sessionCookieName}`);
-                console.log(`[SSO]   - ${config.authCookieName}`);
-                console.log(`[SSO]   authTokenMaxAge: ${config.authTokenMaxAge}s`);
-            }
-            // Set session cookie
-            response.cookies.set(config.sessionCookieName, JSON.stringify(session), {
-                httpOnly: true,
-                secure: config.isProduction,
-                sameSite: 'lax',
-                maxAge: 60 * 60 * 24, // 24 hours
-                path: config.basePath || '/',
-            });
-            // Set auth token cookie (maxAge is configurable for testing)
-            response.cookies.set(config.authCookieName, token, {
-                httpOnly: true,
-                secure: config.isProduction,
-                sameSite: 'lax',
-                maxAge: config.authTokenMaxAge,
-                path: config.basePath || '/',
-            });
-            return response;
-        }
-        catch (error) {
-            console.error('[SSO] GET Error:', error);
-            return NextResponse.redirect(new URL('/login?error=sso_failed', request.url));
-        }
-    };
-}
-/**
- * Handle SSO POST request (API-based flow)
- *
- * This handler validates the token from the request body and returns
- * a JSON response with session cookies set. This is the preferred method
- * as browsers properly process Set-Cookie headers from JSON responses.
- *
- * @param request - Next.js NextRequest
- * @param NextResponse - Next.js NextResponse class
- * @param options - Optional configuration
- * @returns NextResponse with JSON body and cookies set
- */
-export function createSSOPostHandler(NextResponse, options) {
-    return async function handleSSOPost(request) {
-        const verbose = options?.verbose ?? false;
-        try {
-            const body = await request.json();
-            const token = body.token;
-            if (!token) {
-                return NextResponse.json({ success: false, error: 'No token provided' }, { status: 400 });
-            }
-            // Get app name for both validation and cookies
-            const rawAppName = options?.appName || process.env.APP_NAME || options?.defaultAppName || 'app';
-            const config = getCookieConfig(options);
-            if (verbose) {
-                console.log(`[SSO] POST received token for app: ${rawAppName} (sanitized cookie prefix)`);
-                console.log(`[SSO] basePath for cookies: ${config.basePath}`);
-            }
-            // Validate token with the expected audience (app name)
-            const validation = await validateSSOToken(token, { appName: rawAppName });
-            if (!validation.valid) {
-                if (verbose) {
-                    console.log(`[SSO] Token validation failed: ${validation.error}`);
-                }
-                return NextResponse.json({ success: false, error: 'Invalid token', details: validation.error }, { status: 401 });
-            }
-            if (verbose) {
-                console.log(`[SSO] Token validated successfully for user: ${validation.userId}`);
-            }
-            const session = createSessionFromSSO(validation);
-            const response = NextResponse.json({
-                success: true,
-                user: {
-                    id: session.userId,
-                    email: session.email,
-                    roles: session.roles,
-                    displayName: session.displayName,
-                    firstName: session.firstName,
-                    lastName: session.lastName,
-                    avatarUrl: session.avatarUrl,
-                    favoriteColor: session.favoriteColor,
-                },
-            });
-            if (verbose) {
-                console.log(`[SSO] Setting cookies with path: ${config.basePath}`);
-                console.log(`[SSO]   - ${config.sessionCookieName}`);
-                console.log(`[SSO]   - ${config.authCookieName}`);
-                console.log(`[SSO]   authTokenMaxAge: ${config.authTokenMaxAge}s`);
-            }
-            // Set session cookie
-            response.cookies.set(config.sessionCookieName, JSON.stringify(session), {
-                httpOnly: true,
-                secure: config.isProduction,
-                sameSite: 'lax',
-                maxAge: 60 * 60 * 24, // 24 hours
-                path: config.basePath,
-            });
-            // Set auth token cookie (maxAge is configurable for testing)
-            response.cookies.set(config.authCookieName, token, {
-                httpOnly: true,
-                secure: config.isProduction,
-                sameSite: 'lax',
-                maxAge: config.authTokenMaxAge,
-                path: config.basePath,
-            });
-            if (verbose) {
-                console.log('[SSO] Response cookies set, returning success');
-            }
-            return response;
-        }
-        catch (error) {
-            console.error('[SSO] POST Error:', error);
-            return NextResponse.json({ success: false, error: 'SSO failed' }, { status: 500 });
-        }
-    };
-}
-//# sourceMappingURL=sso-route-handler.js.map

package/dist/lib/auth/sso-route-handler.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"sso-route-handler.js","sourceRoot":"","sources":["../../../src/lib/auth/sso-route-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,OAAO,CAAC;AAC/D,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAyFhD;;GAEG;AACH,SAAS,eAAe,CAAC,OAA2B;IAClD,MAAM,UAAU,GAAG,OAAO,EAAE,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,OAAO,EAAE,cAAc,IAAI,KAAK,CAAC;IAChG,MAAM,OAAO,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,GAAG,CAAC;IAE/E,+DAA+D;IAC/D,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACvG,MAAM,eAAe,GAAG,OAAO,EAAE,eAAe,IAAI,SAAS,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAE7E,OAAO;QACL,iBAAiB,EAAE,GAAG,OAAO,UAAU;QACvC,cAAc,EAAE,GAAG,OAAO,aAAa;QACvC,QAAQ;QACR,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QACnD,eAAe;KAChB,CAAC;AACJ,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB,CACjC,YAAuC,EACvC,OAA2B;IAE3B,OAAO,KAAK,UAAU,YAAY,CAAC,OAAwB;QACzD,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC;QAClD,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACxC,MAAM,SAAS,GAAG,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC;QAEpD,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,KAAK,CAAC;QAE1C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;YACzC,OAAO,YAAY,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9E,CAAC;QAED,IAAI,CAAC;YACH,+CAA+C;YAC/C,MAAM,UAAU,GAAG,OAAO,EAAE,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,OAAO,EAAE,cAAc,IAAI,KAAK,CAAC;YAChG,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;YAExC,uDAAuD;YACvD,MAAM,UAAU,GAAG,MAAM,gBAAgB,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC;YAE1E,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;gBACtB,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC;gBAClE,OAAO,YAAY,CAAC,QAAQ,CAC1B,IAAI,GAAG,CAAC,gBAAgB,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,GAAG,CAAC,CACzD,CAAC;YACJ,CAAC;YAED,MAAM,OAAO,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;YAEjD,6CAA6C;YAC7C,IAAI,WAAmB,CAAC;YACxB,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC/B,0BAA0B;gBAC1B,WAAW,GAAG,SAAS,CAAC;YAC1B,CAAC;iBAAM,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,KAAK,GAAG,IAAI,SAAS,CAAC,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC/F,iDAAiD;gBACjD,WAAW,GAAG,SAAS,CAAC;YAC1B,CAAC;iBAAM,CAAC;gBACN,mCAAmC;gBACnC,WAAW,GAAG,GAAG,MAAM,CAAC,QAAQ,GAAG,SAAS,EAAE,CAAC;YACjD,CAAC;YAED,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;YAE1E,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,CAAC,GAAG,CAAC,6CAA6C,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;gBAC5E,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,iBAAiB,EAAE,CAAC,CAAC;gBACrD,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,cAAc,EAAE,CAAC,CAAC;gBAClD,OAAO,CAAC,GAAG,CAAC,4BAA4B,MAAM,CAAC,eAAe,GAAG,CAAC,CAAC;YACrE,CAAC;YAED,qBAAqB;YACrB,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,iBAAiB,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE;gBACtE,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,MAAM,CAAC,YAAY;gBAC3B,QAAQ,EAAE,KAAK;gBACf,MAAM,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,WAAW;gBACjC,IAAI,EAAE,MAAM,CAAC,QAAQ,IAAI,GAAG;aAC7B,CAAC,CAAC;YAEH,6DAA6D;YAC7D,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,cAAc,EAAE,KAAK,EAAE;gBACjD,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,MAAM,CAAC,YAAY;gBAC3B,QAAQ,EAAE,KAAK;gBACf,MAAM,EAAE,MAAM,CAAC,eAAe;gBAC9B,IAAI,EAAE,MAAM,CAAC,QAAQ,IAAI,GAAG;aAC7B,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,kBAAkB,EAAE,KAAK,CAAC,CAAC;YACzC,OAAO,YAAY,CAAC,QAAQ,CAC1B,IAAI,GAAG,CAAC,yBAAyB,EAAE,OAAO,CAAC,GAAG,CAAC,CAChD,CAAC;QACJ,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,oBAAoB,CAClC,YAAoE,EACpE,OAA2B;IAE3B,OAAO,KAAK,UAAU,aAAa,CAAC,OAAwB;QAC1D,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,KAAK,CAAC;QAE1C,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;YAClC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;YAEzB,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,YAAY,CAAC,IAAI,CACtB,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAC9C,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;YACJ,CAAC;YAED,+CAA+C;YAC/C,MAAM,UAAU,GAAG,OAAO,EAAE,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,OAAO,EAAE,cAAc,IAAI,KAAK,CAAC;YAChG,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;YAExC,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,CAAC,GAAG,CAAC,sCAAsC,UAAU,4BAA4B,CAAC,CAAC;gBAC1F,OAAO,CAAC,GAAG,CAAC,+BAA+B,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;YAChE,CAAC;YAED,uDAAuD;YACvD,MAAM,UAAU,GAAG,MAAM,gBAAgB,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC;YAE1E,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;gBACtB,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,GAAG,CAAC,kCAAkC,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;gBACpE,CAAC;gBACD,OAAO,YAAY,CAAC,IAAI,CACtB,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,UAAU,CAAC,KAAK,EAAE,EACrE,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;YACJ,CAAC;YAED,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,CAAC,GAAG,CAAC,gDAAgD,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;YACnF,CAAC;YAED,MAAM,OAAO,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;YAEjD,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC;gBACjC,OAAO,EAAE,IAAI;gBACb,IAAI,EAAE;oBACJ,EAAE,EAAE,OAAO,CAAC,MAAM;oBAClB,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,WAAW,EAAE,OAAO,CAAC,WAAW;oBAChC,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,aAAa,EAAE,OAAO,CAAC,aAAa;iBACrC;aACe,CAAC,CAAC;YAEpB,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,CAAC,GAAG,CAAC,oCAAoC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;gBACnE,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,iBAAiB,EAAE,CAAC,CAAC;gBACrD,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,cAAc,EAAE,CAAC,CAAC;gBAClD,OAAO,CAAC,GAAG,CAAC,4BAA4B,MAAM,CAAC,eAAe,GAAG,CAAC,CAAC;YACrE,CAAC;YAED,qBAAqB;YACrB,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,iBAAiB,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE;gBACtE,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,MAAM,CAAC,YAAY;gBAC3B,QAAQ,EAAE,KAAK;gBACf,MAAM,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,WAAW;gBACjC,IAAI,EAAE,MAAM,CAAC,QAAQ;aACtB,CAAC,CAAC;YAEH,6DAA6D;YAC7D,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,cAAc,EAAE,KAAK,EAAE;gBACjD,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,MAAM,CAAC,YAAY;gBAC3B,QAAQ,EAAE,KAAK;gBACf,MAAM,EAAE,MAAM,CAAC,eAAe;gBAC9B,IAAI,EAAE,MAAM,CAAC,QAAQ;aACtB,CAAC,CAAC;YAEH,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;YAC/D,CAAC;YAED,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,mBAAmB,EAAE,KAAK,CAAC,CAAC;YAC1C,OAAO,YAAY,CAAC,IAAI,CACtB,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,EACvC,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;QACJ,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/lib/auth/sso.d.ts

@@ -1,162 +0,0 @@
-/**
- * SSO Authentication Library (Zero Trust JWKS)
- *
- * Validates RS256 JWT tokens issued by authz service via JWKS.
- * This is the standard authentication method for Busibox apps.
- *
- * Token Flow:
- * 1. User clicks app in Busibox Portal
- * 2. Busibox Portal exchanges user's session JWT for app-scoped token via authz
- * 3. authz verifies user has app access via RBAC bindings
- * 4. authz issues RS256 token with app_id claim and user's roles
- * 5. App validates token via authz JWKS endpoint
- *
- * Token validation is done via authz JWKS endpoint - no shared secrets needed.
- *
- * @example
- * ```typescript
- * import { validateSSOToken, createSessionFromSSO } from '@jazzmind/busibox-app/lib/auth';
- *
- * const validation = await validateSSOToken(token);
- * if (validation.valid) {
- *   const session = createSessionFromSSO(validation);
- * }
- * ```
- */
-/**
- * Options for SSO token validation
- */
-export interface SSOValidationOptions {
-    /** Base URL for authz service (default: AUTHZ_BASE_URL env or http://authz-api:8010) */
-    authzUrl?: string;
-    /** Expected audience claim - app name (default: APP_NAME env or "app") */
-    appName?: string;
-    /** Expected issuer claim (default: "busibox-authz") */
-    issuer?: string;
-    /** Optional explicit audience(s), comma-separated (e.g. "projects,busibox-projects") */
-    ssoAudience?: string;
-}
-/**
- * JWT payload structure for app-scoped tokens from authz
- */
-export interface AppTokenPayload {
-    iss: string;
-    sub: string;
-    aud: string;
-    iat: number;
-    exp: number;
-    jti: string;
-    scope: string;
-    roles: Array<{
-        id: string;
-        name: string;
-    }>;
-    app_id?: string;
-    email?: string;
-    preferred_username?: string;
-    name?: string;
-    given_name?: string;
-    family_name?: string;
-    picture?: string;
-    favorite_color?: string;
-}
-/**
- * Result of SSO token validation
- */
-export interface SSOValidationResult {
-    valid: boolean;
-    userId?: string;
-    email?: string;
-    roles?: string[];
-    appId?: string;
-    scopes?: string[];
-    error?: string;
-    /** User profile fields from JWT claims */
-    displayName?: string;
-    firstName?: string;
-    lastName?: string;
-    avatarUrl?: string;
-    favoriteColor?: string;
-}
-/**
- * Session data created from validated SSO token
- */
-export interface SSOSessionData {
-    userId: string;
-    email: string;
-    roles: string[];
-    appId: string;
-    scopes: string[];
-    authenticatedAt: string;
-    authMethod: "sso";
-    /** User profile fields (optional, from JWT claims) */
-    displayName?: string;
-    firstName?: string;
-    lastName?: string;
-    avatarUrl?: string;
-    favoriteColor?: string;
-}
-/**
- * Invalidate JWKS cache (call this if key rotation is detected)
- */
-export declare function invalidateJwksCache(authzUrl?: string): void;
-/**
- * Validate app-scoped token from authz
- *
- * Token is RS256 signed by authz. We verify using authz JWKS endpoint.
- * No shared secrets needed - asymmetric verification.
- *
- * Handles multiple audience formats robustly:
- * - Short app IDs (e.g., "estimator", "dredge-estimator")
- * - Display names (e.g., "Dredging Cost Estimator")
- * - Explicit path/ID audiences (e.g., "projects", "busibox-projects")
- *
- * @param token - JWT token string
- * @param options - Validation options (authzUrl, appName, issuer)
- * @returns Validation result with user info or error
- *
- * @example
- * ```typescript
- * // Using environment variables
- * const result = await validateSSOToken(token);
- *
- * // With explicit options
- * const result = await validateSSOToken(token, {
- *   authzUrl: 'http://authz:8010',
- *   appName: 'My App',
- * });
- * ```
- */
-export declare function validateSSOToken(token: string, options?: SSOValidationOptions): Promise<SSOValidationResult>;
-/**
- * Full validation - validates the token via JWKS
- * @deprecated Use validateSSOToken instead
- */
-export declare function validateSSOTokenFull(token: string, options?: SSOValidationOptions): Promise<SSOValidationResult>;
-/**
- * Create session data from validated SSO token
- *
- * @param validation - Result from validateSSOToken
- * @returns Session data object
- * @throws Error if validation result is invalid
- */
-export declare function createSessionFromSSO(validation: SSOValidationResult): SSOSessionData;
-/**
- * Check if session has specific role
- */
-export declare function hasSessionRole(session: {
-    roles?: string[];
-}, roleName: string): boolean;
-/**
- * Check if session has specific scope
- */
-export declare function hasSessionScope(session: {
-    scopes?: string[];
-}, scope: string): boolean;
-/**
- * Check if session user is admin
- */
-export declare function isSessionAdmin(session: {
-    roles?: string[];
-}): boolean;
-//# sourceMappingURL=sso.d.ts.map

package/dist/lib/auth/sso.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"sso.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/sso.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAQH;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,wFAAwF;IACxF,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,0EAA0E;IAC1E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,wFAAwF;IACxF,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAeD;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC3C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,0CAA0C;IAC1C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,UAAU,EAAE,KAAK,CAAC;IAClB,sDAAsD;IACtD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AA4BD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAM3D;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,oBAAoB,GAC7B,OAAO,CAAC,mBAAmB,CAAC,CAqJ9B;AAED;;;GAGG;AACH,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,oBAAoB,GAC7B,OAAO,CAAC,mBAAmB,CAAC,CAE9B;AAMD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,mBAAmB,GAC9B,cAAc,CAoBhB;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,OAAO,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,EAC7B,QAAQ,EAAE,MAAM,GACf,OAAO,CAET;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,EAC9B,KAAK,EAAE,MAAM,GACZ,OAAO,CAET;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,GAAG,OAAO,CAErE"}