@jazzmind/busibox-app 3.0.18 → 3.0.20

package/dist/lib/next/passkey.d.ts

@@ -1,78 +0,0 @@
-/**
- * WebAuthn / Passkey Utility Functions
- *
- * Implements passkey registration and authentication using the WebAuthn standard.
- * Uses @simplewebauthn/server for server-side operations.
- *
- * NOTE: Passkey storage is now handled by the authz service.
- * This module performs WebAuthn verification locally, then stores results via authz.
- */
-import type { RegistrationResponseJSON, AuthenticationResponseJSON } from '@simplewebauthn/types';
-import { type Passkey } from '@jazzmind/busibox-app/lib/auth';
-import { type AuthzUser } from '../services/user-management';
-/**
- * Generate registration options for a user to create a new passkey
- * @param userId - User ID
- * @param userEmail - User email
- * @param sessionJwt - Session JWT for authentication with authz service
- */
-export declare function generatePasskeyRegistrationOptions(userId: string, userEmail: string, sessionJwt: string): Promise<any>;
-/**
- * Verify a registration response and store the new passkey
- * @param userId - User ID
- * @param response - Registration response from WebAuthn
- * @param deviceName - Name for the passkey
- * @param sessionJwt - Session JWT for authentication with authz service
- */
-export declare function verifyPasskeyRegistration(userId: string, response: RegistrationResponseJSON, deviceName: string, sessionJwt: string): Promise<Passkey>;
-/**
- * Generate authentication options for passkey login
- *
- * Note: We don't look up user by email here because:
- * 1. During login, we don't have an access token yet
- * 2. Modern browsers support "discoverable credentials" which auto-select the right passkey
- * 3. Allowing any passkey is actually the correct UX for passkey authentication
- */
-export declare function generatePasskeyAuthenticationOptions(_email?: string): Promise<any>;
-/**
- * Verify an authentication response and return the user and session
- */
-export declare function verifyPasskeyAuthentication(response: AuthenticationResponseJSON): Promise<{
-    passkey: Passkey & {
-        user_id: string;
-    };
-    user: AuthzUser;
-    session: {
-        token: string;
-        expires_at: string;
-    };
-}>;
-/**
- * Get all passkeys for a user
- * @param userId - User ID
- * @param sessionJwt - Optional session JWT for self-service authentication
- */
-export declare function getUserPasskeys(userId: string, sessionJwt?: string): Promise<Passkey[]>;
-/**
- * Delete a passkey
- * @param userId - User ID (for ownership verification)
- * @param passkeyId - Passkey ID to delete
- * @param sessionJwt - Optional session JWT for self-service authentication
- */
-export declare function deletePasskey(userId: string, passkeyId: string, sessionJwt?: string): Promise<Passkey>;
-/**
- * Rename a passkey
- * @param userId - User ID (for ownership verification)
- * @param passkeyId - Passkey ID to rename
- * @param newName - New name for the passkey
- * @param sessionJwt - Optional session JWT for self-service authentication
- */
-export declare function renamePasskey(userId: string, passkeyId: string, newName: string, sessionJwt?: string): Promise<Passkey>;
-/**
- * Check if user has any passkeys
- * @param userId - User ID
- * @param sessionJwt - Optional session JWT for self-service authentication
- */
-export declare function userHasPasskeys(userId: string, sessionJwt?: string): Promise<boolean>;
-export declare function cleanupExpiredChallenges(): Promise<any>;
-//# sourceMappingURL=passkey.d.ts.map

package/dist/lib/next/passkey.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"passkey.d.ts","sourceRoot":"","sources":["../../../src/lib/next/passkey.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAQH,OAAO,KAAK,EACV,wBAAwB,EACxB,0BAA0B,EAG3B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAML,KAAK,OAAO,EACb,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,KAAK,SAAS,EAAE,MAAM,6BAA6B,CAAC;AAmC7D;;;;;GAKG;AACH,wBAAsB,kCAAkC,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,gBA0C7G;AAED;;;;;;GAMG;AACH,wBAAsB,yBAAyB,CAC7C,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,wBAAwB,EAClC,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,oBAkDnB;AAMD;;;;;;;GAOG;AACH,wBAAsB,oCAAoC,CAAC,MAAM,CAAC,EAAE,MAAM,gBAmBzE;AAED;;GAEG;AACH,wBAAsB,2BAA2B,CAAC,QAAQ,EAAE,0BAA0B,GAAG,OAAO,CAAC;IAC/F,OAAO,EAAE,OAAO,GAAG;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;IACvC,IAAI,EAAE,SAAS,CAAC;IAChB,OAAO,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;CAChD,CAAC,CAuID;AAMD;;;;GAIG;AACH,wBAAsB,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,sBAMxE;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,oBAgBzF;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAkC7H;AAED;;;;GAIG;AACH,wBAAsB,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAO3F;AAoBD,wBAAsB,wBAAwB,iBAgB7C"}

package/dist/lib/next/passkey.js

@@ -1,380 +0,0 @@
-/**
- * WebAuthn / Passkey Utility Functions
- *
- * Implements passkey registration and authentication using the WebAuthn standard.
- * Uses @simplewebauthn/server for server-side operations.
- *
- * NOTE: Passkey storage is now handled by the authz service.
- * This module performs WebAuthn verification locally, then stores results via authz.
- */
-import { generateRegistrationOptions, verifyRegistrationResponse, generateAuthenticationOptions, verifyAuthenticationResponse, } from '@simplewebauthn/server';
-import { createPasskeyChallenge, registerPasskey as authzRegisterPasskey, listUserPasskeys as authzListUserPasskeys, deletePasskey as authzDeletePasskey, authenticateWithPasskey as authzAuthenticateWithPasskey, } from '@jazzmind/busibox-app/lib/auth';
-import { getAuthzOptions, getAuthzBaseUrl } from './authz-client';
-// RP (Relying Party) configuration
-// APP_URL is a runtime env var (server-side only) - it's NOT prefixed with NEXT_PUBLIC_
-// because we don't want it baked into the client bundle at build time.
-// This ensures the correct domain is used even if the build was done with different env vars.
-const getAppUrl = () => process.env.APP_URL || process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000';
-const getRpId = () => {
-    const url = getAppUrl();
-    try {
-        return new URL(url).hostname;
-    }
-    catch {
-        return 'localhost';
-    }
-};
-const getRpName = () => process.env.APP_NAME || 'Busibox Portal';
-const getOrigin = () => {
-    const url = getAppUrl();
-    try {
-        // WebAuthn origin must be protocol + hostname only (no path)
-        const parsed = new URL(url);
-        return `${parsed.protocol}//${parsed.hostname}${parsed.port ? ':' + parsed.port : ''}`;
-    }
-    catch {
-        return 'http://localhost:3000';
-    }
-};
-// ============================================================================
-// Registration (adding a new passkey)
-// ============================================================================
-/**
- * Generate registration options for a user to create a new passkey
- * @param userId - User ID
- * @param userEmail - User email
- * @param sessionJwt - Session JWT for authentication with authz service
- */
-export async function generatePasskeyRegistrationOptions(userId, userEmail, sessionJwt) {
-    // Use session JWT directly for self-service auth (no token exchange needed)
-    // The authz passkey endpoints support session JWT for users managing their own passkeys
-    const options = {
-        authzUrl: getAuthzBaseUrl(),
-        accessToken: sessionJwt, // Session JWT works for self-service
-    };
-    // Get existing passkeys for this user to exclude
-    const existingPasskeys = await authzListUserPasskeys(userId, options);
-    const excludeCredentials = existingPasskeys.map((passkey) => ({
-        id: passkey.credential_id,
-        type: 'public-key',
-        transports: (passkey.transports || []),
-    }));
-    const registrationOptions = await generateRegistrationOptions({
-        rpName: getRpName(),
-        rpID: getRpId(),
-        userID: new TextEncoder().encode(userId),
-        userName: userEmail,
-        userDisplayName: userEmail.split('@')[0],
-        // Timeout after 5 minutes
-        timeout: 300000,
-        // Prefer platform authenticators (Face ID, Touch ID, Windows Hello)
-        authenticatorSelection: {
-            authenticatorAttachment: 'platform',
-            residentKey: 'preferred',
-            userVerification: 'preferred',
-        },
-        // Don't re-register existing authenticators
-        excludeCredentials,
-        // Request attestation for device info
-        attestationType: 'none',
-    });
-    // Store challenge for verification via authz
-    await createPasskeyChallenge('registration', userId, options);
-    return registrationOptions;
-}
-/**
- * Verify a registration response and store the new passkey
- * @param userId - User ID
- * @param response - Registration response from WebAuthn
- * @param deviceName - Name for the passkey
- * @param sessionJwt - Session JWT for authentication with authz service
- */
-export async function verifyPasskeyRegistration(userId, response, deviceName, sessionJwt) {
-    // Use session JWT directly for self-service auth (no token exchange needed)
-    // The authz passkey endpoints support session JWT for users managing their own passkeys
-    const options = {
-        authzUrl: getAuthzBaseUrl(),
-        accessToken: sessionJwt, // Session JWT works for self-service
-    };
-    // Get the challenge from authz (we use the user's most recent challenge)
-    // Since authz stores challenges separately, we need to fetch it
-    // For now, we'll pass the expected challenge from the client
-    // This is a simplification - in production, you'd want to fetch the challenge
-    // Note: The challenge is in the response's clientDataJSON
-    // We need to extract it and verify against what we stored
-    const clientDataJSON = JSON.parse(Buffer.from(response.response.clientDataJSON, 'base64').toString());
-    const expectedChallenge = clientDataJSON.challenge;
-    // Verify the registration response
-    const verification = await verifyRegistrationResponse({
-        response,
-        expectedChallenge,
-        expectedOrigin: getOrigin(),
-        expectedRPID: getRpId(),
-        requireUserVerification: false,
-    });
-    if (!verification.verified || !verification.registrationInfo) {
-        throw new Error('Registration verification failed');
-    }
-    const { credential, credentialDeviceType, credentialBackedUp } = verification.registrationInfo;
-    // Store the new passkey via authz
-    const passkey = await authzRegisterPasskey({
-        userId,
-        credentialId: bufferToBase64Url(credential.id),
-        credentialPublicKey: bufferToBase64Url(credential.publicKey),
-        counter: credential.counter,
-        deviceType: credentialDeviceType,
-        backedUp: credentialBackedUp,
-        transports: response.response.transports || [],
-        aaguid: verification.registrationInfo.aaguid,
-        name: deviceName,
-    }, options);
-    return passkey;
-}
-// ============================================================================
-// Authentication (signing in with a passkey)
-// ============================================================================
-/**
- * Generate authentication options for passkey login
- *
- * Note: We don't look up user by email here because:
- * 1. During login, we don't have an access token yet
- * 2. Modern browsers support "discoverable credentials" which auto-select the right passkey
- * 3. Allowing any passkey is actually the correct UX for passkey authentication
- */
-export async function generatePasskeyAuthenticationOptions(_email) {
-    const options = getAuthzOptions();
-    // We don't restrict to specific credentials - the browser will show
-    // all available passkeys for this RP (discoverable credentials)
-    // This is the correct behavior for passkey authentication
-    const authOptions = await generateAuthenticationOptions({
-        rpID: getRpId(),
-        timeout: 300000,
-        userVerification: 'preferred',
-        // undefined means allow any passkey (discoverable credential)
-        allowCredentials: undefined,
-    });
-    // Store challenge for verification via authz (userId is null because we don't know the user yet)
-    await createPasskeyChallenge('authentication', undefined, options);
-    return authOptions;
-}
-/**
- * Verify an authentication response and return the user and session
- */
-export async function verifyPasskeyAuthentication(response) {
-    const options = getAuthzOptions();
-    // Extract the challenge from the response first (needed for verification)
-    const clientDataJSON = JSON.parse(Buffer.from(response.response.clientDataJSON, 'base64').toString());
-    const expectedChallenge = clientDataJSON.challenge;
-    // Find the passkey by credential ID via authz
-    // The credential ID should match what was stored during registration
-    // During registration, we store: bufferToBase64Url(credential.id)
-    // During authentication, response.id and response.rawId should both be Base64URL-encoded
-    // Use rawId if available, otherwise fall back to id
-    const credentialId = response.rawId || response.id;
-    if (!credentialId) {
-        throw new Error('Missing credential ID in authentication response');
-    }
-    // Log for debugging
-    console.log('[PASSKEY] Authentication response credential IDs:', {
-        id: response.id,
-        rawId: response.rawId,
-        using: credentialId,
-        id_length: response.id?.length,
-        rawId_length: response.rawId?.length,
-    });
-    // Get passkey details from authz via HTTP call
-    // Zero Trust: This is a public endpoint during authentication - no auth needed
-    const authzUrl = getAuthzBaseUrl();
-    // Credential ID is already Base64URL-encoded, but we need to URL-encode it for the path
-    const encodedCredentialId = encodeURIComponent(credentialId);
-    console.log('[PASSKEY] Looking up passkey with credential ID:', credentialId.substring(0, 30) + '...');
-    const passkeyResponse = await fetch(`${authzUrl}/auth/passkeys/by-credential/${encodedCredentialId}`);
-    if (!passkeyResponse.ok) {
-        const errorText = await passkeyResponse.text().catch(() => 'Unknown error');
-        console.error(`[PASSKEY] Failed to get passkey by credential ID: ${passkeyResponse.status} - ${errorText}`);
-        console.error(`[PASSKEY] Credential ID: ${credentialId.substring(0, 20)}...`);
-        throw new Error('Passkey not found');
-    }
-    const passkeyData = await passkeyResponse.json();
-    // Validate that user_id exists in the response
-    if (!passkeyData.user_id) {
-        console.error('[PASSKEY] Passkey lookup response missing user_id:', passkeyData);
-        throw new Error('Passkey lookup returned invalid data: missing user_id');
-    }
-    const passkey = passkeyData;
-    // Log the passkey data for debugging
-    console.log('[PASSKEY] Passkey lookup result:', {
-        passkey_id: passkey.passkey_id,
-        user_id: passkey.user_id,
-        user_id_type: typeof passkey.user_id,
-        credential_id: passkey.credential_id?.substring(0, 20) + '...',
-    });
-    // Verify the authentication response
-    const verification = await verifyAuthenticationResponse({
-        response,
-        expectedChallenge,
-        expectedOrigin: getOrigin(),
-        expectedRPID: getRpId(),
-        credential: {
-            id: passkey.credential_id,
-            publicKey: base64UrlToBuffer(passkey.credential_public_key),
-            counter: passkey.counter,
-            transports: (passkey.transports || []),
-        },
-        requireUserVerification: false,
-    });
-    if (!verification.verified) {
-        throw new Error('Authentication verification failed');
-    }
-    // Authenticate with authz - this updates the counter, creates a session, and returns user info
-    // This is a public endpoint - no access token needed (the passkey signature is the proof)
-    const authResult = await authzAuthenticateWithPasskey(credentialId, verification.authenticationInfo.newCounter, options);
-    if (!authResult) {
-        throw new Error('Passkey authentication failed - counter replay or invalid passkey');
-    }
-    // The authResult already has the user info - no need to call getUser separately
-    // Get user ID - authz API may return 'id' or 'user_id' depending on endpoint
-    const authUser = authResult.user;
-    const resolvedUserId = authUser.id || authUser.user_id;
-    if (!resolvedUserId) {
-        throw new Error('Passkey authentication failed - no user ID in response');
-    }
-    // Map the roles to include required fields (authz returns minimal role info)
-    const user = {
-        id: resolvedUserId,
-        email: authResult.user.email,
-        status: authResult.user.status,
-        roles: authResult.user.roles.map(r => ({
-            id: r.id,
-            name: r.name,
-            created_at: '', // Not returned by auth endpoint
-            updated_at: '', // Not returned by auth endpoint
-        })),
-        created_at: '', // Not returned by auth endpoint
-        updated_at: '', // Not returned by auth endpoint
-    };
-    // Extract session info from authResult
-    const session = {
-        token: authResult.session.token,
-        expires_at: authResult.session.expires_at,
-    };
-    console.log('[PASSKEY] Authentication successful:', {
-        user_id: user.id,
-        email: user.email,
-        roles: user.roles?.map(r => r.name),
-        session_token_length: session.token?.length,
-    });
-    return { passkey, user, session };
-}
-// ============================================================================
-// Passkey Management
-// ============================================================================
-/**
- * Get all passkeys for a user
- * @param userId - User ID
- * @param sessionJwt - Optional session JWT for self-service authentication
- */
-export async function getUserPasskeys(userId, sessionJwt) {
-    const options = {
-        ...getAuthzOptions(),
-        ...(sessionJwt && { accessToken: sessionJwt }),
-    };
-    return authzListUserPasskeys(userId, options);
-}
-/**
- * Delete a passkey
- * @param userId - User ID (for ownership verification)
- * @param passkeyId - Passkey ID to delete
- * @param sessionJwt - Optional session JWT for self-service authentication
- */
-export async function deletePasskey(userId, passkeyId, sessionJwt) {
-    const options = {
-        ...getAuthzOptions(),
-        ...(sessionJwt && { accessToken: sessionJwt }),
-    };
-    // First verify the passkey belongs to this user
-    const passkeys = await authzListUserPasskeys(userId, options);
-    const passkey = passkeys.find(p => p.passkey_id === passkeyId);
-    if (!passkey) {
-        throw new Error('Passkey not found');
-    }
-    await authzDeletePasskey(passkeyId, options);
-    return passkey;
-}
-/**
- * Rename a passkey
- * @param userId - User ID (for ownership verification)
- * @param passkeyId - Passkey ID to rename
- * @param newName - New name for the passkey
- * @param sessionJwt - Optional session JWT for self-service authentication
- */
-export async function renamePasskey(userId, passkeyId, newName, sessionJwt) {
-    const options = {
-        ...getAuthzOptions(),
-        ...(sessionJwt && { accessToken: sessionJwt }),
-    };
-    // First verify the passkey belongs to this user
-    const passkeys = await authzListUserPasskeys(userId, options);
-    const passkey = passkeys.find(p => p.passkey_id === passkeyId);
-    if (!passkey) {
-        throw new Error('Passkey not found');
-    }
-    // Update the passkey name via authz
-    const authzUrl = getAuthzBaseUrl();
-    const headers = {
-        'Content-Type': 'application/json',
-    };
-    if (sessionJwt) {
-        headers['Authorization'] = `Bearer ${sessionJwt}`;
-    }
-    const response = await fetch(`${authzUrl}/auth/passkeys/${passkeyId}`, {
-        method: 'PATCH',
-        headers,
-        body: JSON.stringify({ name: newName }),
-    });
-    if (!response.ok) {
-        throw new Error('Failed to rename passkey');
-    }
-    return response.json();
-}
-/**
- * Check if user has any passkeys
- * @param userId - User ID
- * @param sessionJwt - Optional session JWT for self-service authentication
- */
-export async function userHasPasskeys(userId, sessionJwt) {
-    const options = {
-        ...getAuthzOptions(),
-        ...(sessionJwt && { accessToken: sessionJwt }),
-    };
-    const passkeys = await authzListUserPasskeys(userId, options);
-    return passkeys.length > 0;
-}
-// ============================================================================
-// Utility Functions
-// ============================================================================
-function bufferToBase64Url(input) {
-    const buffer = typeof input === 'string' ? base64UrlToBuffer(input) : input;
-    return Buffer.from(buffer).toString('base64url');
-}
-function base64UrlToBuffer(base64url) {
-    return new Uint8Array(Buffer.from(base64url, 'base64url'));
-}
-// ============================================================================
-// Challenge Cleanup (should be run periodically)
-// ============================================================================
-export async function cleanupExpiredChallenges() {
-    const options = getAuthzOptions();
-    // Call the authz cleanup endpoint
-    // Zero Trust: This is a maintenance endpoint - should be called with service account JWT
-    const authzUrl = getAuthzBaseUrl();
-    const response = await fetch(`${authzUrl}/auth/cleanup`, {
-        method: 'POST',
-    });
-    if (!response.ok) {
-        throw new Error('Failed to cleanup expired challenges');
-    }
-    const result = await response.json();
-    return result.passkeyChallengesDeleted || 0;
-}
-//# sourceMappingURL=passkey.js.map

package/dist/lib/next/passkey.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"passkey.js","sourceRoot":"","sources":["../../../src/lib/next/passkey.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACL,2BAA2B,EAC3B,0BAA0B,EAC1B,6BAA6B,EAC7B,4BAA4B,GAC7B,MAAM,wBAAwB,CAAC;AAOhC,OAAO,EACL,sBAAsB,EACtB,eAAe,IAAI,oBAAoB,EACvC,gBAAgB,IAAI,qBAAqB,EACzC,aAAa,IAAI,kBAAkB,EACnC,uBAAuB,IAAI,4BAA4B,GAExD,MAAM,gCAAgC,CAAC;AAExC,OAAO,EAAE,eAAe,EAAE,eAAe,EAA4B,MAAM,gBAAgB,CAAC;AAE5F,mCAAmC;AACnC,wFAAwF;AACxF,uEAAuE;AACvE,8FAA8F;AAC9F,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,uBAAuB,CAAC;AAE1G,MAAM,OAAO,GAAG,GAAG,EAAE;IACnB,MAAM,GAAG,GAAG,SAAS,EAAE,CAAC;IACxB,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,WAAW,CAAC;IACrB,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,gBAAgB,CAAC;AAEjE,MAAM,SAAS,GAAG,GAAG,EAAE;IACrB,MAAM,GAAG,GAAG,SAAS,EAAE,CAAC;IACxB,IAAI,CAAC;QACH,6DAA6D;QAC7D,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,OAAO,GAAG,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IACzF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,uBAAuB,CAAC;IACjC,CAAC;AACH,CAAC,CAAC;AAEF,+EAA+E;AAC/E,sCAAsC;AACtC,+EAA+E;AAE/E;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,kCAAkC,CAAC,MAAc,EAAE,SAAiB,EAAE,UAAkB;IAC5G,4EAA4E;IAC5E,wFAAwF;IACxF,MAAM,OAAO,GAAG;QACd,QAAQ,EAAE,eAAe,EAAE;QAC3B,WAAW,EAAE,UAAU,EAAG,qCAAqC;KAChE,CAAC;IAEF,iDAAiD;IACjD,MAAM,gBAAgB,GAAG,MAAM,qBAAqB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAEtE,MAAM,kBAAkB,GACtB,gBAAgB,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QACjC,EAAE,EAAE,OAAO,CAAC,aAAa;QACzB,IAAI,EAAE,YAAY;QAClB,UAAU,EAAE,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAmC;KACzE,CAAC,CAAC,CAAC;IAEN,MAAM,mBAAmB,GAAG,MAAM,2BAA2B,CAAC;QAC5D,MAAM,EAAE,SAAS,EAAE;QACnB,IAAI,EAAE,OAAO,EAAE;QACf,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC;QACxC,QAAQ,EAAE,SAAS;QACnB,eAAe,EAAE,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACxC,0BAA0B;QAC1B,OAAO,EAAE,MAAM;QACf,oEAAoE;QACpE,sBAAsB,EAAE;YACtB,uBAAuB,EAAE,UAAU;YACnC,WAAW,EAAE,WAAW;YACxB,gBAAgB,EAAE,WAAW;SAC9B;QACD,4CAA4C;QAC5C,kBAAkB;QAClB,sCAAsC;QACtC,eAAe,EAAE,MAAM;KACxB,CAAC,CAAC;IAEH,6CAA6C;IAC7C,MAAM,sBAAsB,CAAC,cAAc,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IAE9D,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,MAAc,EACd,QAAkC,EAClC,UAAkB,EAClB,UAAkB;IAElB,4EAA4E;IAC5E,wFAAwF;IACxF,MAAM,OAAO,GAAG;QACd,QAAQ,EAAE,eAAe,EAAE;QAC3B,WAAW,EAAE,UAAU,EAAG,qCAAqC;KAChE,CAAC;IAEF,yEAAyE;IACzE,gEAAgE;IAChE,6DAA6D;IAC7D,8EAA8E;IAE9E,0DAA0D;IAC1D,0DAA0D;IAC1D,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,CAC/B,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CACnE,CAAC;IACF,MAAM,iBAAiB,GAAG,cAAc,CAAC,SAAS,CAAC;IAEnD,mCAAmC;IACnC,MAAM,YAAY,GAAG,MAAM,0BAA0B,CAAC;QACpD,QAAQ;QACR,iBAAiB;QACjB,cAAc,EAAE,SAAS,EAAE;QAC3B,YAAY,EAAE,OAAO,EAAE;QACvB,uBAAuB,EAAE,KAAK;KAC/B,CAAC,CAAC;IAEH,IAAI,CAAC,YAAY,CAAC,QAAQ,IAAI,CAAC,YAAY,CAAC,gBAAgB,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IAED,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,GAAG,YAAY,CAAC,gBAAgB,CAAC;IAE/F,kCAAkC;IAClC,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC;QACzC,MAAM;QACN,YAAY,EAAE,iBAAiB,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9C,mBAAmB,EAAE,iBAAiB,CAAC,UAAU,CAAC,SAAS,CAAC;QAC5D,OAAO,EAAE,UAAU,CAAC,OAAO;QAC3B,UAAU,EAAE,oBAAoB;QAChC,QAAQ,EAAE,kBAAkB;QAC5B,UAAU,EAAE,QAAQ,CAAC,QAAQ,CAAC,UAAU,IAAI,EAAE;QAC9C,MAAM,EAAE,YAAY,CAAC,gBAAgB,CAAC,MAAM;QAC5C,IAAI,EAAE,UAAU;KACjB,EAAE,OAAO,CAAC,CAAC;IAEZ,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,+EAA+E;AAC/E,6CAA6C;AAC7C,+EAA+E;AAE/E;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,oCAAoC,CAAC,MAAe;IACxE,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;IAElC,oEAAoE;IACpE,gEAAgE;IAChE,0DAA0D;IAE1D,MAAM,WAAW,GAAG,MAAM,6BAA6B,CAAC;QACtD,IAAI,EAAE,OAAO,EAAE;QACf,OAAO,EAAE,MAAM;QACf,gBAAgB,EAAE,WAAW;QAC7B,8DAA8D;QAC9D,gBAAgB,EAAE,SAAS;KAC5B,CAAC,CAAC;IAEH,iGAAiG;IACjG,MAAM,sBAAsB,CAAC,gBAAgB,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IAEnE,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAAC,QAAoC;IAKpF,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;IAElC,0EAA0E;IAC1E,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,CAC/B,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CACnE,CAAC;IACF,MAAM,iBAAiB,GAAG,cAAc,CAAC,SAAS,CAAC;IAEnD,8CAA8C;IAC9C,qEAAqE;IACrE,kEAAkE;IAClE,yFAAyF;IACzF,oDAAoD;IACpD,MAAM,YAAY,GAAG,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,EAAE,CAAC;IAEnD,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IAED,oBAAoB;IACpB,OAAO,CAAC,GAAG,CAAC,mDAAmD,EAAE;QAC/D,EAAE,EAAE,QAAQ,CAAC,EAAE;QACf,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,KAAK,EAAE,YAAY;QACnB,SAAS,EAAE,QAAQ,CAAC,EAAE,EAAE,MAAM;QAC9B,YAAY,EAAE,QAAQ,CAAC,KAAK,EAAE,MAAM;KACrC,CAAC,CAAC;IAEH,+CAA+C;IAC/C,+EAA+E;IAC/E,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAC;IACnC,wFAAwF;IACxF,MAAM,mBAAmB,GAAG,kBAAkB,CAAC,YAAY,CAAC,CAAC;IAC7D,OAAO,CAAC,GAAG,CAAC,kDAAkD,EAAE,YAAY,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC;IACvG,MAAM,eAAe,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,gCAAgC,mBAAmB,EAAE,CAAC,CAAC;IAEtG,IAAI,CAAC,eAAe,CAAC,EAAE,EAAE,CAAC;QACxB,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC;QAC5E,OAAO,CAAC,KAAK,CAAC,qDAAqD,eAAe,CAAC,MAAM,MAAM,SAAS,EAAE,CAAC,CAAC;QAC5G,OAAO,CAAC,KAAK,CAAC,4BAA4B,YAAY,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;QAC9E,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACvC,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,eAAe,CAAC,IAAI,EAAE,CAAC;IAEjD,+CAA+C;IAC/C,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;QACzB,OAAO,CAAC,KAAK,CAAC,oDAAoD,EAAE,WAAW,CAAC,CAAC;QACjF,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IAED,MAAM,OAAO,GAAG,WAIf,CAAC;IAEF,qCAAqC;IACrC,OAAO,CAAC,GAAG,CAAC,kCAAkC,EAAE;QAC9C,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,YAAY,EAAE,OAAO,OAAO,CAAC,OAAO;QACpC,aAAa,EAAE,OAAO,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;KAC/D,CAAC,CAAC;IAEH,qCAAqC;IACrC,MAAM,YAAY,GAAG,MAAM,4BAA4B,CAAC;QACtD,QAAQ;QACR,iBAAiB;QACjB,cAAc,EAAE,SAAS,EAAE;QAC3B,YAAY,EAAE,OAAO,EAAE;QACvB,UAAU,EAAE;YACV,EAAE,EAAE,OAAO,CAAC,aAAa;YACzB,SAAS,EAAE,iBAAiB,CAAC,OAAO,CAAC,qBAAqB,CAAQ;YAClE,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,UAAU,EAAE,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAmC;SACzE;QACD,uBAAuB,EAAE,KAAK;KAC/B,CAAC,CAAC;IAEH,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IAED,+FAA+F;IAC/F,0FAA0F;IAC1F,MAAM,UAAU,GAAG,MAAM,4BAA4B,CACnD,YAAY,EACZ,YAAY,CAAC,kBAAkB,CAAC,UAAU,EAC1C,OAAO,CACR,CAAC;IAEF,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;IACvF,CAAC;IAED,gFAAgF;IAChF,6EAA6E;IAC7E,MAAM,QAAQ,GAAG,UAAU,CAAC,IAAoH,CAAC;IACjJ,MAAM,cAAc,GAAG,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,OAAO,CAAC;IAEvD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;IAC5E,CAAC;IAED,6EAA6E;IAC7E,MAAM,IAAI,GAAc;QACtB,EAAE,EAAE,cAAc;QAClB,KAAK,EAAE,UAAU,CAAC,IAAI,CAAC,KAAK;QAC5B,MAAM,EAAE,UAAU,CAAC,IAAI,CAAC,MAA8C;QACtE,KAAK,EAAE,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACrC,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,UAAU,EAAE,EAAE,EAAE,gCAAgC;YAChD,UAAU,EAAE,EAAE,EAAE,gCAAgC;SACjD,CAAC,CAAC;QACH,UAAU,EAAE,EAAE,EAAE,gCAAgC;QAChD,UAAU,EAAE,EAAE,EAAE,gCAAgC;KACjD,CAAC;IAEF,uCAAuC;IACvC,MAAM,OAAO,GAAG;QACd,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK;QAC/B,UAAU,EAAE,UAAU,CAAC,OAAO,CAAC,UAAU;KAC1C,CAAC;IAEF,OAAO,CAAC,GAAG,CAAC,sCAAsC,EAAE;QAClD,OAAO,EAAE,IAAI,CAAC,EAAE;QAChB,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QACnC,oBAAoB,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM;KAC5C,CAAC,CAAC;IAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AACpC,CAAC;AAED,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAAc,EAAE,UAAmB;IACvE,MAAM,OAAO,GAAG;QACd,GAAG,eAAe,EAAE;QACpB,GAAG,CAAC,UAAU,IAAI,EAAE,WAAW,EAAE,UAAU,EAAE,CAAC;KAC/C,CAAC;IACF,OAAO,qBAAqB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAChD,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,MAAc,EAAE,SAAiB,EAAE,UAAmB;IACxF,MAAM,OAAO,GAAG;QACd,GAAG,eAAe,EAAE;QACpB,GAAG,CAAC,UAAU,IAAI,EAAE,WAAW,EAAE,UAAU,EAAE,CAAC;KAC/C,CAAC;IAEF,gDAAgD;IAChD,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9D,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC;IAE/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACvC,CAAC;IAED,MAAM,kBAAkB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAC7C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,MAAc,EAAE,SAAiB,EAAE,OAAe,EAAE,UAAmB;IACzG,MAAM,OAAO,GAAG;QACd,GAAG,eAAe,EAAE;QACpB,GAAG,CAAC,UAAU,IAAI,EAAE,WAAW,EAAE,UAAU,EAAE,CAAC;KAC/C,CAAC;IAEF,gDAAgD;IAChD,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9D,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC;IAE/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACvC,CAAC;IAED,oCAAoC;IACpC,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAC;IACnC,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;KACnC,CAAC;IACF,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,UAAU,EAAE,CAAC;IACpD,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,kBAAkB,SAAS,EAAE,EAAE;QACrE,MAAM,EAAE,OAAO;QACf,OAAO;QACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;KACxC,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAAsB,CAAC;AAC7C,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAAc,EAAE,UAAmB;IACvE,MAAM,OAAO,GAAG;QACd,GAAG,eAAe,EAAE;QACpB,GAAG,CAAC,UAAU,IAAI,EAAE,WAAW,EAAE,UAAU,EAAE,CAAC;KAC/C,CAAC;IACF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9D,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E,SAAS,iBAAiB,CAAC,KAA0B;IACnD,MAAM,MAAM,GACV,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;IAC/D,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,iBAAiB,CAAC,SAAiB;IAC1C,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED,+EAA+E;AAC/E,iDAAiD;AACjD,+EAA+E;AAE/E,MAAM,CAAC,KAAK,UAAU,wBAAwB;IAC5C,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;IAElC,kCAAkC;IAClC,yFAAyF;IACzF,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,eAAe,EAAE;QACvD,MAAM,EAAE,MAAM;KACf,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACrC,OAAO,MAAM,CAAC,wBAAwB,IAAI,CAAC,CAAC;AAC9C,CAAC"}

package/dist/lib/next/sso.d.ts

@@ -1,51 +0,0 @@
-/**
- * SSO Token Generation (Zero Trust)
- *
- * Uses authz service OAuth2 token exchange (RFC 8693) to generate app-scoped tokens.
- *
- * Flow:
- * 1. User requests access to an app (e.g., busibox-agents)
- * 2. busibox-portal exchanges user's session JWT with authz for an app-scoped token
- * 3. authz verifies user has access to the app via RBAC bindings
- * 4. authz issues RS256 token with app_id claim and user's roles
- * 5. External app validates token via authz JWKS: GET /.well-known/jwks.json
- *
- * Benefits:
- * - Standardized OAuth2 flow (RFC 8693)
- * - Asymmetric signing (RS256) with JWKS
- * - Service-scoped tokens (audience enforcement)
- * - App access controlled via authz RBAC bindings
- * - Centralized audit logging
- * - No client credentials needed - JWT proves identity
- */
-/**
- * User info for SSO token generation
- */
-export interface SSOUserInfo {
-    id: string;
-    email: string;
-    roles: string[];
-    sessionJwt: string;
-}
-/**
- * Generate an app-scoped access token for a user to access an external app.
- *
- * Zero Trust Flow:
- * 1. Verify app exists and is active in busibox-portal DB
- * 2. Exchange user's session JWT for an app-scoped token via authz
- * 3. Authz verifies user has app access via RBAC bindings
- * 4. Authz issues RS256 token with app_id claim
- *
- * The external app validates this token via authz JWKS endpoint:
- * GET {authz_url}/.well-known/jwks.json
- *
- * @param userInfo - User info including id, email, roles, and sessionJwt
- * @param appIdentifier - App identifier (UUID, stable audience, path, or name)
- * @returns JWT token string and expiration date
- */
-export declare function generateSSOToken(userInfo: SSOUserInfo, appIdentifier: string): Promise<{
-    token: string;
-    expiresAt: Date;
-    appUrl: string | null;
-}>;
-//# sourceMappingURL=sso.d.ts.map

package/dist/lib/next/sso.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"sso.d.ts","sourceRoot":"","sources":["../../../src/lib/next/sso.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAoBH;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;CACpB;AAsBD;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,gBAAgB,CAAC,QAAQ,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC;IAC5F,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;IAChB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,CAAC,CAoHD"}