@jhits/plugin-users 0.0.12 → 0.0.14

package/dist/api/bridge.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Plugin Users - Session Bridge API
+ * Handles cross-domain session transfer via secure one-time tokens
+ */
+import { NextRequest, NextResponse } from 'next/server';
+/**
+ * GET /api/plugin-users/bridge/generate - Generate a one-time transfer token
+ * Call this from the "Primary" domain (.com)
+ */
+export declare function generateTransferToken(req: NextRequest, config: any): Promise<NextResponse<{
+    error: string;
+}> | NextResponse<{
+    token: string;
+}>>;
+/**
+ * GET /api/plugin-users/bridge/verify - Verify a transfer token and return user data
+ * Call this from the "Target" domain (.nl, .se) via proxy
+ */
+export declare function verifyTransferToken(req: NextRequest, config: any): Promise<NextResponse<{
+    error: string;
+}> | NextResponse<{
+    id: any;
+    email: any;
+    name: any;
+    role: any;
+    image: any;
+}>>;
+//# sourceMappingURL=bridge.d.ts.map

package/dist/api/bridge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge.d.ts","sourceRoot":"","sources":["../../src/api/bridge.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAgBxD;;;GAGG;AACH,wBAAsB,qBAAqB,CAAC,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG;;;;IAwBxE;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG;;;;;;;;IA0CtE"}

package/dist/api/bridge.js

@@ -0,0 +1,85 @@
+/**
+ * Plugin Users - Session Bridge API
+ * Handles cross-domain session transfer via secure one-time tokens
+ */
+import { NextResponse } from 'next/server';
+import { getToken } from 'next-auth/jwt';
+import { randomBytes } from 'crypto';
+// Token store (in-memory for simplicity, as tokens are extremely short-lived)
+// In a large multi-server setup, this should be in Redis
+const tokenStore = new Map();
+// Cleanup expired tokens periodically
+setInterval(() => {
+    const now = Date.now();
+    for (const [token, data] of tokenStore.entries()) {
+        if (data.expires < now)
+            tokenStore.delete(token);
+    }
+}, 60000);
+/**
+ * GET /api/plugin-users/bridge/generate - Generate a one-time transfer token
+ * Call this from the "Primary" domain (.com)
+ */
+export async function generateTransferToken(req, config) {
+    try {
+        const token = await getToken({
+            req,
+            secret: process.env.NEXTAUTH_SECRET || config.jwtSecret
+        });
+        if (!token || !token.sub) {
+            return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+        }
+        const transferToken = randomBytes(32).toString('hex');
+        const expires = Date.now() + 30000; // 30 seconds expiry
+        tokenStore.set(transferToken, {
+            userId: token.sub,
+            expires
+        });
+        return NextResponse.json({ token: transferToken });
+    }
+    catch (err) {
+        console.error('[BridgeAPI] Generate error:', err);
+        return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+    }
+}
+/**
+ * GET /api/plugin-users/bridge/verify - Verify a transfer token and return user data
+ * Call this from the "Target" domain (.nl, .se) via proxy
+ */
+export async function verifyTransferToken(req, config) {
+    try {
+        const url = new URL(req.url);
+        const transferToken = url.searchParams.get('token');
+        if (!transferToken) {
+            return NextResponse.json({ error: 'Token required' }, { status: 400 });
+        }
+        const data = tokenStore.get(transferToken);
+        if (!data || data.expires < Date.now()) {
+            tokenStore.delete(transferToken);
+            return NextResponse.json({ error: 'Invalid or expired token' }, { status: 401 });
+        }
+        // Token used, remove it
+        tokenStore.delete(transferToken);
+        // Fetch user data
+        const dbConnection = await config.getDb();
+        const db = dbConnection.db();
+        const { ObjectId } = require('mongodb');
+        const user = await db.collection('users').findOne({
+            _id: new ObjectId(data.userId)
+        });
+        if (!user) {
+            return NextResponse.json({ error: 'User not found' }, { status: 404 });
+        }
+        return NextResponse.json({
+            id: user._id.toString(),
+            email: user.email,
+            name: user.name,
+            role: user.role || 'user',
+            image: user.image || null
+        });
+    }
+    catch (err) {
+        console.error('[BridgeAPI] Verify error:', err);
+        return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+    }
+}

package/dist/api/router.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../src/api/router.ts"],"names":[],"mappings":"AAEA;;;;;;;;GAQG;AAEH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAIzC;;;;GAIG;AACH,wBAAsB,cAAc,CAChC,GAAG,EAAE,WAAW,EAChB,IAAI,EAAE,MAAM,EAAE,EACd,MAAM,EAAE,cAAc,GACvB,OAAO,CAAC,YAAY,CAAC,CAwEvB"}
+{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../src/api/router.ts"],"names":[],"mappings":"AAEA;;;;;;;;GAQG;AAEH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAIzC;;;;GAIG;AACH,wBAAsB,cAAc,CAChC,GAAG,EAAE,WAAW,EAChB,IAAI,EAAE,MAAM,EAAE,EACd,MAAM,EAAE,cAAc,GACvB,OAAO,CAAC,YAAY,CAAC,CA2DvB"}

package/dist/api/router.js

@@ -25,52 +25,45 @@ export async function handleUsersApi(req, path, config) {
             initAuthHandler(config.authOptions);
         }
         // Route: /api/auth/[...nextauth] - NextAuth routes
-        // When routed from /api/auth, the path contains the nextauth segments
-        // Path structure: /api/auth/session -> path: ['session']
-        // Path structure: /api/auth/signin -> path: ['signin']
-        // Path structure: /api/auth -> path: [] (empty)
-        // We handle this by checking if route is empty (root /api/auth) or if it's a known NextAuth route
         const isNextAuthRoute = route === '' ||
             ['session', 'signin', 'signout', 'callback', 'csrf', 'providers', 'error'].includes(route);
         if (isNextAuthRoute) {
-            // This is a NextAuth route - use the path as nextauth segments
-            // For /api/auth, path is [] -> nextauthPath is []
-            // For /api/auth/session, path is ['session'] -> nextauthPath is ['session']
             const nextauthPath = path;
-            // Create NextAuth context
             const nextauthContext = {
                 params: Promise.resolve({ nextauth: nextauthPath })
             };
-            if (method === 'GET') {
+            if (method === 'GET')
                 return await AuthGET(req, nextauthContext);
-            }
-            if (method === 'POST') {
+            if (method === 'POST')
                 return await AuthPOST(req, nextauthContext);
+        }
+        // Route: /api/plugin-users/bridge (Session Bridge)
+        if (route === 'bridge') {
+            const bridgeModule = await import('./bridge');
+            const subRoute = path.length > 1 ? path[1] : '';
+            if (subRoute === 'generate' && method === 'GET') {
+                return await bridgeModule.generateTransferToken(req, config);
+            }
+            if (subRoute === 'verify' && method === 'GET') {
+                return await bridgeModule.verifyTransferToken(req, config);
             }
         }
         // Route: /api/users or /api/plugin-users/users (user management)
         if (route === 'users') {
             if (path.length === 1) {
-                // /api/users or /api/plugin-users/users
-                if (method === 'GET') {
+                if (method === 'GET')
                     return await GET_USERS(req, config);
-                }
-                if (method === 'POST') {
+                if (method === 'POST')
                     return await POST_USERS(req, config);
-                }
             }
             else if (path.length === 2) {
-                // /api/users/[id] or /api/plugin-users/users/[id]
                 const userId = path[1];
-                if (method === 'PATCH') {
+                if (method === 'PATCH')
                     return await PATCH_USER(req, userId, config);
-                }
-                if (method === 'DELETE') {
+                if (method === 'DELETE')
                     return await DELETE_USER(req, userId, config);
-                }
             }
         }
-        // Method not allowed
         return NextResponse.json({ error: `Method ${method} not allowed for route: ${route || '/'}` }, { status: 405 });
     }
     catch (error) {

package/dist/index.server.d.ts

@@ -8,5 +8,6 @@ import 'server-only';
  */
 export { handleUsersApi as handleApi } from './api/router';
 export { handleUsersApi } from './api/router';
+export { generateTransferToken, verifyTransferToken } from './api/bridge';
 export type { UsersApiConfig } from './api/users';
 //# sourceMappingURL=index.server.d.ts.map

package/dist/index.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.server.d.ts","sourceRoot":"","sources":["../src/index.server.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAErB;;;;;;GAMG;AAEH,OAAO,EAAE,cAAc,IAAI,SAAS,EAAE,MAAM,cAAc,CAAC;AAC3D,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,YAAY,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.server.d.ts","sourceRoot":"","sources":["../src/index.server.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAErB;;;;;;GAMG;AAEH,OAAO,EAAE,cAAc,IAAI,SAAS,EAAE,MAAM,cAAc,CAAC;AAC3D,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAC1E,YAAY,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC"}

package/dist/index.server.js

@@ -8,3 +8,4 @@ import 'server-only';
  */
 export { handleUsersApi as handleApi } from './api/router';
 export { handleUsersApi } from './api/router'; // Keep original export for backward compatibility
+export { generateTransferToken, verifyTransferToken } from './api/bridge';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jhits/plugin-users",
-  "version": "0.0.12",
+  "version": "0.0.14",
   "description": "User management and authentication plugin for the JHITS ecosystem",
   "publishConfig": {
     "access": "public"
@@ -36,7 +36,7 @@
     "@types/node": "^25.2.3",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
-    "@jhits/plugin-core": "0.0.9"
+    "@jhits/plugin-core": "0.0.10"
   },
   "peerDependencies": {
     "next": ">=15.0.0",

package/src/api/bridge.ts

@@ -0,0 +1,98 @@
+/**
+ * Plugin Users - Session Bridge API
+ * Handles cross-domain session transfer via secure one-time tokens
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { getToken } from 'next-auth/jwt';
+import { randomBytes, createHmac } from 'crypto';
+
+// Token store (in-memory for simplicity, as tokens are extremely short-lived)
+// In a large multi-server setup, this should be in Redis
+const tokenStore = new Map<string, { userId: string; expires: number }>();
+
+// Cleanup expired tokens periodically
+setInterval(() => {
+    const now = Date.now();
+    for (const [token, data] of tokenStore.entries()) {
+        if (data.expires < now) tokenStore.delete(token);
+    }
+}, 60000);
+
+/**
+ * GET /api/plugin-users/bridge/generate - Generate a one-time transfer token
+ * Call this from the "Primary" domain (.com)
+ */
+export async function generateTransferToken(req: NextRequest, config: any) {
+    try {
+        const token = await getToken({ 
+            req, 
+            secret: process.env.NEXTAUTH_SECRET || config.jwtSecret 
+        });
+
+        if (!token || !token.sub) {
+            return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+        }
+
+        const transferToken = randomBytes(32).toString('hex');
+        const expires = Date.now() + 30000; // 30 seconds expiry
+
+        tokenStore.set(transferToken, { 
+            userId: token.sub, 
+            expires 
+        });
+
+        return NextResponse.json({ token: transferToken });
+    } catch (err) {
+        console.error('[BridgeAPI] Generate error:', err);
+        return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+    }
+}
+
+/**
+ * GET /api/plugin-users/bridge/verify - Verify a transfer token and return user data
+ * Call this from the "Target" domain (.nl, .se) via proxy
+ */
+export async function verifyTransferToken(req: NextRequest, config: any) {
+    try {
+        const url = new URL(req.url);
+        const transferToken = url.searchParams.get('token');
+
+        if (!transferToken) {
+            return NextResponse.json({ error: 'Token required' }, { status: 400 });
+        }
+
+        const data = tokenStore.get(transferToken);
+        if (!data || data.expires < Date.now()) {
+            tokenStore.delete(transferToken);
+            return NextResponse.json({ error: 'Invalid or expired token' }, { status: 401 });
+        }
+
+        // Token used, remove it
+        tokenStore.delete(transferToken);
+
+        // Fetch user data
+        const dbConnection = await config.getDb();
+        const db = dbConnection.db();
+        const { ObjectId } = require('mongodb');
+        
+        const user = await db.collection('users').findOne({ 
+            _id: new ObjectId(data.userId) 
+        });
+
+        if (!user) {
+            return NextResponse.json({ error: 'User not found' }, { status: 404 });
+        }
+
+        return NextResponse.json({
+            id: user._id.toString(),
+            email: user.email,
+            name: user.name,
+            role: user.role || 'user',
+            image: user.image || null
+        });
+    } catch (err) {
+        console.error('[BridgeAPI] Verify error:', err);
+        return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+    }
+}

package/src/api/router.ts

@@ -35,56 +35,43 @@ export async function handleUsersApi(
         }
 
         // Route: /api/auth/[...nextauth] - NextAuth routes
-        // When routed from /api/auth, the path contains the nextauth segments
-        // Path structure: /api/auth/session -> path: ['session']
-        // Path structure: /api/auth/signin -> path: ['signin']
-        // Path structure: /api/auth -> path: [] (empty)
-        // We handle this by checking if route is empty (root /api/auth) or if it's a known NextAuth route
         const isNextAuthRoute = route === '' || 
             ['session', 'signin', 'signout', 'callback', 'csrf', 'providers', 'error'].includes(route);
         
         if (isNextAuthRoute) {
-            // This is a NextAuth route - use the path as nextauth segments
-            // For /api/auth, path is [] -> nextauthPath is []
-            // For /api/auth/session, path is ['session'] -> nextauthPath is ['session']
             const nextauthPath = path;
-            
-            // Create NextAuth context
             const nextauthContext = {
                 params: Promise.resolve({ nextauth: nextauthPath })
             };
 
-            if (method === 'GET') {
-                return await AuthGET(req, nextauthContext);
+            if (method === 'GET') return await AuthGET(req, nextauthContext);
+            if (method === 'POST') return await AuthPOST(req, nextauthContext);
+        }
+
+        // Route: /api/plugin-users/bridge (Session Bridge)
+        if (route === 'bridge') {
+            const bridgeModule = await import('./bridge');
+            const subRoute = path.length > 1 ? path[1] : '';
+            if (subRoute === 'generate' && method === 'GET') {
+                return await bridgeModule.generateTransferToken(req, config);
             }
-            if (method === 'POST') {
-                return await AuthPOST(req, nextauthContext);
+            if (subRoute === 'verify' && method === 'GET') {
+                return await bridgeModule.verifyTransferToken(req, config);
             }
         }
 
         // Route: /api/users or /api/plugin-users/users (user management)
         if (route === 'users') {
             if (path.length === 1) {
-                // /api/users or /api/plugin-users/users
-                if (method === 'GET') {
-                    return await GET_USERS(req, config);
-                }
-                if (method === 'POST') {
-                    return await POST_USERS(req, config);
-                }
+                if (method === 'GET') return await GET_USERS(req, config);
+                if (method === 'POST') return await POST_USERS(req, config);
             } else if (path.length === 2) {
-                // /api/users/[id] or /api/plugin-users/users/[id]
                 const userId = path[1];
-                if (method === 'PATCH') {
-                    return await PATCH_USER(req, userId, config);
-                }
-                if (method === 'DELETE') {
-                    return await DELETE_USER(req, userId, config);
-                }
+                if (method === 'PATCH') return await PATCH_USER(req, userId, config);
+                if (method === 'DELETE') return await DELETE_USER(req, userId, config);
             }
         }
 
-        // Method not allowed
         return NextResponse.json(
             { error: `Method ${method} not allowed for route: ${route || '/'}` },
             { status: 405 }
@@ -97,4 +84,3 @@ export async function handleUsersApi(
         );
     }
 }
-

package/src/index.server.ts

@@ -10,5 +10,6 @@ import 'server-only';
 
 export { handleUsersApi as handleApi } from './api/router';
 export { handleUsersApi } from './api/router'; // Keep original export for backward compatibility
+export { generateTransferToken, verifyTransferToken } from './api/bridge';
 export type { UsersApiConfig } from './api/users';