@lanonasis/oauth-client 1.2.6 → 1.2.8

package/dist/{api-key-storage-web-DannE11B.d.cts → api-key-storage-web-J3W8nQi2.d.cts}

@@ -29,6 +29,42 @@ interface PKCEChallenge {
     codeVerifier: string;
     codeChallenge: string;
 }
+type AuthTokenType = 'api_key' | 'jwt' | 'oauth' | 'cli';
+interface AuthValidationResult {
+    valid: boolean;
+    type?: AuthTokenType;
+    userId?: string;
+    email?: string;
+    role?: string;
+    projectScope?: string;
+    permissions?: string[];
+    scope?: string | string[];
+    expiresAt?: string | null;
+    error?: string;
+    raw?: unknown;
+}
+interface AuthGatewayClientConfig {
+    authBaseUrl?: string;
+    clientId?: string;
+    projectScope?: string;
+}
+interface TokenExchangeOptions {
+    projectScope?: string;
+    platform?: string;
+}
+interface TokenExchangeResponse {
+    access_token: string;
+    refresh_token: string;
+    expires_in: number;
+    token_type?: string;
+    user?: {
+        id: string;
+        email?: string;
+        role?: string;
+        project_scope?: string;
+    };
+    [key: string]: unknown;
+}
 
 declare abstract class BaseOAuthFlow {
     protected readonly clientId: string;
@@ -91,6 +127,22 @@ declare class TokenStorage implements TokenStorageAdapter {
     private getWebEncryptionKey;
 }
 
+declare class AuthGatewayClient {
+    private authBaseUrl;
+    private projectScope;
+    private flow;
+    constructor(config?: AuthGatewayClientConfig);
+    exchangeSupabaseToken(supabaseToken: string, options?: TokenExchangeOptions): Promise<TokenExchangeResponse>;
+    refreshToken(refreshToken: string): Promise<TokenResponse>;
+    revokeToken(token: string, tokenType?: 'access_token' | 'refresh_token'): Promise<void>;
+    validateToken(token: string): Promise<AuthValidationResult>;
+    verifyApiKey(apiKey: string): Promise<AuthValidationResult>;
+    verifyToken(token: string): Promise<AuthValidationResult>;
+    introspectToken(token: string): Promise<AuthValidationResult>;
+    private normalizeTokenType;
+    private requestJson;
+}
+
 /**
  * Browser-only token storage that avoids Node/Electron dependencies.
  * Tokens are encrypted with Web Crypto and stored in localStorage.
@@ -205,4 +257,4 @@ declare class ApiKeyStorageWeb {
     private base64Decode;
 }
 
-export { ApiKeyStorageWeb as A, BaseOAuthFlow as B, DesktopOAuthFlow as D, type GrantType as G, type OAuthConfig as O, type PKCEChallenge as P, type TokenStorageAdapter as T, TokenStorageWeb as a, type TokenResponse as b, type DeviceCodeResponse as c, type AuthError as d, TokenStorage as e, type ApiKeyData as f, ApiKeyStorage as g };
+export { AuthGatewayClient as A, BaseOAuthFlow as B, DesktopOAuthFlow as D, type GrantType as G, type OAuthConfig as O, type PKCEChallenge as P, type TokenStorageAdapter as T, TokenStorageWeb as a, ApiKeyStorageWeb as b, type TokenResponse as c, type DeviceCodeResponse as d, type AuthError as e, type AuthTokenType as f, type AuthValidationResult as g, type AuthGatewayClientConfig as h, type TokenExchangeOptions as i, type TokenExchangeResponse as j, TokenStorage as k, type ApiKeyData as l, ApiKeyStorage as m };

package/dist/{api-key-storage-web-DannE11B.d.ts → api-key-storage-web-J3W8nQi2.d.ts}

@@ -29,6 +29,42 @@ interface PKCEChallenge {
     codeVerifier: string;
     codeChallenge: string;
 }
+type AuthTokenType = 'api_key' | 'jwt' | 'oauth' | 'cli';
+interface AuthValidationResult {
+    valid: boolean;
+    type?: AuthTokenType;
+    userId?: string;
+    email?: string;
+    role?: string;
+    projectScope?: string;
+    permissions?: string[];
+    scope?: string | string[];
+    expiresAt?: string | null;
+    error?: string;
+    raw?: unknown;
+}
+interface AuthGatewayClientConfig {
+    authBaseUrl?: string;
+    clientId?: string;
+    projectScope?: string;
+}
+interface TokenExchangeOptions {
+    projectScope?: string;
+    platform?: string;
+}
+interface TokenExchangeResponse {
+    access_token: string;
+    refresh_token: string;
+    expires_in: number;
+    token_type?: string;
+    user?: {
+        id: string;
+        email?: string;
+        role?: string;
+        project_scope?: string;
+    };
+    [key: string]: unknown;
+}
 
 declare abstract class BaseOAuthFlow {
     protected readonly clientId: string;
@@ -91,6 +127,22 @@ declare class TokenStorage implements TokenStorageAdapter {
     private getWebEncryptionKey;
 }
 
+declare class AuthGatewayClient {
+    private authBaseUrl;
+    private projectScope;
+    private flow;
+    constructor(config?: AuthGatewayClientConfig);
+    exchangeSupabaseToken(supabaseToken: string, options?: TokenExchangeOptions): Promise<TokenExchangeResponse>;
+    refreshToken(refreshToken: string): Promise<TokenResponse>;
+    revokeToken(token: string, tokenType?: 'access_token' | 'refresh_token'): Promise<void>;
+    validateToken(token: string): Promise<AuthValidationResult>;
+    verifyApiKey(apiKey: string): Promise<AuthValidationResult>;
+    verifyToken(token: string): Promise<AuthValidationResult>;
+    introspectToken(token: string): Promise<AuthValidationResult>;
+    private normalizeTokenType;
+    private requestJson;
+}
+
 /**
  * Browser-only token storage that avoids Node/Electron dependencies.
  * Tokens are encrypted with Web Crypto and stored in localStorage.
@@ -205,4 +257,4 @@ declare class ApiKeyStorageWeb {
     private base64Decode;
 }
 
-export { ApiKeyStorageWeb as A, BaseOAuthFlow as B, DesktopOAuthFlow as D, type GrantType as G, type OAuthConfig as O, type PKCEChallenge as P, type TokenStorageAdapter as T, TokenStorageWeb as a, type TokenResponse as b, type DeviceCodeResponse as c, type AuthError as d, TokenStorage as e, type ApiKeyData as f, ApiKeyStorage as g };
+export { AuthGatewayClient as A, BaseOAuthFlow as B, DesktopOAuthFlow as D, type GrantType as G, type OAuthConfig as O, type PKCEChallenge as P, type TokenStorageAdapter as T, TokenStorageWeb as a, ApiKeyStorageWeb as b, type TokenResponse as c, type DeviceCodeResponse as d, type AuthError as e, type AuthTokenType as f, type AuthValidationResult as g, type AuthGatewayClientConfig as h, type TokenExchangeOptions as i, type TokenExchangeResponse as j, TokenStorage as k, type ApiKeyData as l, ApiKeyStorage as m };

package/dist/browser.cjs

@@ -31,6 +31,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var browser_exports = {};
 __export(browser_exports, {
   ApiKeyStorageWeb: () => ApiKeyStorageWeb,
+  AuthGatewayClient: () => AuthGatewayClient,
   BaseOAuthFlow: () => BaseOAuthFlow,
   DesktopOAuthFlow: () => DesktopOAuthFlow,
   MCPClient: () => MCPClient,
@@ -432,7 +433,7 @@ var APIKeyFlow = class extends BaseOAuthFlow {
    */
   async validateAPIKey() {
     try {
-      const response = await (0, import_cross_fetch2.default)(`${this.config.authBaseUrl}/api/v1/health`, {
+      const response = await (0, import_cross_fetch2.default)(`${this.authBaseUrl}/api/v1/health`, {
         headers: {
           "x-api-key": this.apiKey
         }
@@ -662,6 +663,192 @@ var MCPClient = class {
   }
 };
 
+// src/client/auth-gateway-client.ts
+var import_cross_fetch4 = __toESM(require("cross-fetch"), 1);
+var GatewayOAuthFlow = class extends BaseOAuthFlow {
+  async authenticate() {
+    throw new Error("Interactive authentication is not supported in AuthGatewayClient.");
+  }
+};
+var DEFAULT_AUTH_BASE_URL = "https://auth.lanonasis.com";
+var DEFAULT_CLIENT_ID = "lanonasis-cli";
+var DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
+var API_KEY_PREFIXES = ["lano_", "pk_", "sk_"];
+var AuthGatewayClient = class {
+  constructor(config = {}) {
+    const baseUrl = config.authBaseUrl || DEFAULT_AUTH_BASE_URL;
+    this.authBaseUrl = baseUrl.replace(/\/+$/, "");
+    this.projectScope = config.projectScope || DEFAULT_PROJECT_SCOPE;
+    this.flow = new GatewayOAuthFlow({
+      clientId: config.clientId || DEFAULT_CLIENT_ID,
+      authBaseUrl: this.authBaseUrl
+    });
+  }
+  async exchangeSupabaseToken(supabaseToken, options = {}) {
+    const token = typeof supabaseToken === "string" ? supabaseToken.trim() : "";
+    if (!token) {
+      throw new Error("Supabase access token is required");
+    }
+    const projectScope = options.projectScope || this.projectScope;
+    const platform = options.platform || "web";
+    return this.requestJson("/v1/auth/token/exchange", {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+        "X-Project-Scope": projectScope
+      },
+      body: JSON.stringify({
+        project_scope: projectScope,
+        platform
+      })
+    });
+  }
+  async refreshToken(refreshToken) {
+    return this.flow.refreshToken(refreshToken);
+  }
+  async revokeToken(token, tokenType = "access_token") {
+    return this.flow.revokeToken(token, tokenType);
+  }
+  async validateToken(token) {
+    const trimmed = typeof token === "string" ? token.trim() : "";
+    if (!trimmed) {
+      return { valid: false, error: "Token is required" };
+    }
+    if (API_KEY_PREFIXES.some((prefix) => trimmed.startsWith(prefix))) {
+      return this.verifyApiKey(trimmed);
+    }
+    if (trimmed.startsWith("cli_") || trimmed.includes(".")) {
+      return this.verifyToken(trimmed);
+    }
+    return this.introspectToken(trimmed);
+  }
+  async verifyApiKey(apiKey) {
+    try {
+      const data = await this.requestJson("/v1/auth/verify-api-key", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-API-Key": apiKey
+        }
+      });
+      if (!data || data.valid === false) {
+        return {
+          valid: false,
+          type: "api_key",
+          error: data && (data.error || data.message) || "Invalid API key",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: "api_key",
+        userId: data.userId,
+        projectScope: data.projectScope,
+        permissions: data.permissions || [],
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "api_key",
+        error: error?.message || "API key validation failed",
+        raw: error?.data
+      };
+    }
+  }
+  async verifyToken(token) {
+    try {
+      const data = await this.requestJson("/v1/auth/verify-token", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ token })
+      });
+      if (!data || data.valid === false) {
+        return {
+          valid: false,
+          type: data?.type ? this.normalizeTokenType(data.type) : "jwt",
+          error: data?.error || "Invalid token",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: data.type ? this.normalizeTokenType(data.type) : "jwt",
+        userId: data.user?.id,
+        email: data.user?.email,
+        role: data.user?.role,
+        expiresAt: data.expires_at || null,
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "jwt",
+        error: error?.message || "Token verification failed",
+        raw: error?.data
+      };
+    }
+  }
+  async introspectToken(token) {
+    try {
+      const data = await this.requestJson("/oauth/introspect", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ token })
+      });
+      if (!data || data.active !== true) {
+        return {
+          valid: false,
+          type: "oauth",
+          error: "Token is inactive",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: "oauth",
+        userId: data.user_id || data.sub,
+        scope: data.scope,
+        expiresAt: data.exp ? new Date(data.exp * 1e3).toISOString() : null,
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "oauth",
+        error: error?.message || "Token introspection failed",
+        raw: error?.data
+      };
+    }
+  }
+  normalizeTokenType(type) {
+    if (type === "cli_token") return "cli";
+    if (type === "jwt") return "jwt";
+    return "jwt";
+  }
+  async requestJson(path, options) {
+    const response = await (0, import_cross_fetch4.default)(`${this.authBaseUrl}${path.startsWith("/") ? path : `/${path}`}`, options);
+    const text = await response.text();
+    let data = null;
+    if (text) {
+      try {
+        data = JSON.parse(text);
+      } catch (parseError) {
+        data = { raw: text };
+      }
+    }
+    if (!response.ok) {
+      const message = data?.message || data?.error || `Request failed (${response.status})`;
+      const error = new Error(message);
+      error.status = response.status;
+      error.data = data;
+      throw error;
+    }
+    return data;
+  }
+};
+
 // src/storage/api-key-storage-web.ts
 var ApiKeyStorageWeb = class {
   constructor() {

package/dist/browser.d.cts

@@ -1,5 +1,5 @@
-import { O as OAuthConfig, T as TokenStorageAdapter } from './api-key-storage-web-DannE11B.cjs';
-export { A as ApiKeyStorageWeb, d as AuthError, B as BaseOAuthFlow, D as DesktopOAuthFlow, c as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, b as TokenResponse, a as TokenStorageWeb } from './api-key-storage-web-DannE11B.cjs';
+import { O as OAuthConfig, T as TokenStorageAdapter } from './api-key-storage-web-J3W8nQi2.cjs';
+export { b as ApiKeyStorageWeb, e as AuthError, A as AuthGatewayClient, h as AuthGatewayClientConfig, f as AuthTokenType, g as AuthValidationResult, B as BaseOAuthFlow, D as DesktopOAuthFlow, d as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, i as TokenExchangeOptions, j as TokenExchangeResponse, c as TokenResponse, a as TokenStorageWeb } from './api-key-storage-web-J3W8nQi2.cjs';
 
 interface MCPClientConfig extends Partial<OAuthConfig> {
     mcpEndpoint?: string;

package/dist/browser.d.ts

@@ -1,5 +1,5 @@
-import { O as OAuthConfig, T as TokenStorageAdapter } from './api-key-storage-web-DannE11B.js';
-export { A as ApiKeyStorageWeb, d as AuthError, B as BaseOAuthFlow, D as DesktopOAuthFlow, c as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, b as TokenResponse, a as TokenStorageWeb } from './api-key-storage-web-DannE11B.js';
+import { O as OAuthConfig, T as TokenStorageAdapter } from './api-key-storage-web-J3W8nQi2.js';
+export { b as ApiKeyStorageWeb, e as AuthError, A as AuthGatewayClient, h as AuthGatewayClientConfig, f as AuthTokenType, g as AuthValidationResult, B as BaseOAuthFlow, D as DesktopOAuthFlow, d as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, i as TokenExchangeOptions, j as TokenExchangeResponse, c as TokenResponse, a as TokenStorageWeb } from './api-key-storage-web-J3W8nQi2.js';
 
 interface MCPClientConfig extends Partial<OAuthConfig> {
     mcpEndpoint?: string;

package/dist/browser.mjs

@@ -399,7 +399,7 @@ var APIKeyFlow = class extends BaseOAuthFlow {
    */
   async validateAPIKey() {
     try {
-      const response = await fetch2(`${this.config.authBaseUrl}/api/v1/health`, {
+      const response = await fetch2(`${this.authBaseUrl}/api/v1/health`, {
         headers: {
           "x-api-key": this.apiKey
         }
@@ -629,6 +629,192 @@ var MCPClient = class {
   }
 };
 
+// src/client/auth-gateway-client.ts
+import fetch4 from "cross-fetch";
+var GatewayOAuthFlow = class extends BaseOAuthFlow {
+  async authenticate() {
+    throw new Error("Interactive authentication is not supported in AuthGatewayClient.");
+  }
+};
+var DEFAULT_AUTH_BASE_URL = "https://auth.lanonasis.com";
+var DEFAULT_CLIENT_ID = "lanonasis-cli";
+var DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
+var API_KEY_PREFIXES = ["lano_", "pk_", "sk_"];
+var AuthGatewayClient = class {
+  constructor(config = {}) {
+    const baseUrl = config.authBaseUrl || DEFAULT_AUTH_BASE_URL;
+    this.authBaseUrl = baseUrl.replace(/\/+$/, "");
+    this.projectScope = config.projectScope || DEFAULT_PROJECT_SCOPE;
+    this.flow = new GatewayOAuthFlow({
+      clientId: config.clientId || DEFAULT_CLIENT_ID,
+      authBaseUrl: this.authBaseUrl
+    });
+  }
+  async exchangeSupabaseToken(supabaseToken, options = {}) {
+    const token = typeof supabaseToken === "string" ? supabaseToken.trim() : "";
+    if (!token) {
+      throw new Error("Supabase access token is required");
+    }
+    const projectScope = options.projectScope || this.projectScope;
+    const platform = options.platform || "web";
+    return this.requestJson("/v1/auth/token/exchange", {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+        "X-Project-Scope": projectScope
+      },
+      body: JSON.stringify({
+        project_scope: projectScope,
+        platform
+      })
+    });
+  }
+  async refreshToken(refreshToken) {
+    return this.flow.refreshToken(refreshToken);
+  }
+  async revokeToken(token, tokenType = "access_token") {
+    return this.flow.revokeToken(token, tokenType);
+  }
+  async validateToken(token) {
+    const trimmed = typeof token === "string" ? token.trim() : "";
+    if (!trimmed) {
+      return { valid: false, error: "Token is required" };
+    }
+    if (API_KEY_PREFIXES.some((prefix) => trimmed.startsWith(prefix))) {
+      return this.verifyApiKey(trimmed);
+    }
+    if (trimmed.startsWith("cli_") || trimmed.includes(".")) {
+      return this.verifyToken(trimmed);
+    }
+    return this.introspectToken(trimmed);
+  }
+  async verifyApiKey(apiKey) {
+    try {
+      const data = await this.requestJson("/v1/auth/verify-api-key", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-API-Key": apiKey
+        }
+      });
+      if (!data || data.valid === false) {
+        return {
+          valid: false,
+          type: "api_key",
+          error: data && (data.error || data.message) || "Invalid API key",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: "api_key",
+        userId: data.userId,
+        projectScope: data.projectScope,
+        permissions: data.permissions || [],
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "api_key",
+        error: error?.message || "API key validation failed",
+        raw: error?.data
+      };
+    }
+  }
+  async verifyToken(token) {
+    try {
+      const data = await this.requestJson("/v1/auth/verify-token", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ token })
+      });
+      if (!data || data.valid === false) {
+        return {
+          valid: false,
+          type: data?.type ? this.normalizeTokenType(data.type) : "jwt",
+          error: data?.error || "Invalid token",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: data.type ? this.normalizeTokenType(data.type) : "jwt",
+        userId: data.user?.id,
+        email: data.user?.email,
+        role: data.user?.role,
+        expiresAt: data.expires_at || null,
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "jwt",
+        error: error?.message || "Token verification failed",
+        raw: error?.data
+      };
+    }
+  }
+  async introspectToken(token) {
+    try {
+      const data = await this.requestJson("/oauth/introspect", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ token })
+      });
+      if (!data || data.active !== true) {
+        return {
+          valid: false,
+          type: "oauth",
+          error: "Token is inactive",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: "oauth",
+        userId: data.user_id || data.sub,
+        scope: data.scope,
+        expiresAt: data.exp ? new Date(data.exp * 1e3).toISOString() : null,
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "oauth",
+        error: error?.message || "Token introspection failed",
+        raw: error?.data
+      };
+    }
+  }
+  normalizeTokenType(type) {
+    if (type === "cli_token") return "cli";
+    if (type === "jwt") return "jwt";
+    return "jwt";
+  }
+  async requestJson(path, options) {
+    const response = await fetch4(`${this.authBaseUrl}${path.startsWith("/") ? path : `/${path}`}`, options);
+    const text = await response.text();
+    let data = null;
+    if (text) {
+      try {
+        data = JSON.parse(text);
+      } catch (parseError) {
+        data = { raw: text };
+      }
+    }
+    if (!response.ok) {
+      const message = data?.message || data?.error || `Request failed (${response.status})`;
+      const error = new Error(message);
+      error.status = response.status;
+      error.data = data;
+      throw error;
+    }
+    return data;
+  }
+};
+
 // src/storage/api-key-storage-web.ts
 var ApiKeyStorageWeb = class {
   constructor() {
@@ -760,6 +946,7 @@ var ApiKeyStorageWeb = class {
 };
 export {
   ApiKeyStorageWeb,
+  AuthGatewayClient,
   BaseOAuthFlow,
   DesktopOAuthFlow,
   MCPClient,