npm - @lanonasis/oauth-client - Versions diffs - 1.2.7 → 1.2.8 - Mend

@lanonasis/oauth-client 1.2.7 → 1.2.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/browser.cjs CHANGED Viewed

@@ -433,7 +433,7 @@ var APIKeyFlow = class extends BaseOAuthFlow {
    */
   async validateAPIKey() {
     try {
-      const response = await (0, import_cross_fetch2.default)(`${this.config.authBaseUrl}/api/v1/health`, {
+      const response = await (0, import_cross_fetch2.default)(`${this.authBaseUrl}/api/v1/health`, {
         headers: {
           "x-api-key": this.apiKey
         }

package/dist/browser.mjs CHANGED Viewed

@@ -399,7 +399,7 @@ var APIKeyFlow = class extends BaseOAuthFlow {
    */
   async validateAPIKey() {
     try {
-      const response = await fetch2(`${this.config.authBaseUrl}/api/v1/health`, {
+      const response = await fetch2(`${this.authBaseUrl}/api/v1/health`, {
         headers: {
           "x-api-key": this.apiKey
         }

package/dist/index.cjs CHANGED Viewed

@@ -30,12 +30,14 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  APIKeyFlow: () => APIKeyFlow,
   ApiKeyStorage: () => ApiKeyStorage,
   ApiKeyStorageWeb: () => ApiKeyStorageWeb,
   AuthGatewayClient: () => AuthGatewayClient,
   BaseOAuthFlow: () => BaseOAuthFlow,
   DesktopOAuthFlow: () => DesktopOAuthFlow,
   MCPClient: () => MCPClient,
+  MagicLinkFlow: () => MagicLinkFlow,
   TerminalOAuthFlow: () => TerminalOAuthFlow,
   TokenStorage: () => TokenStorage,
   TokenStorageWeb: () => TokenStorageWeb
@@ -368,6 +370,256 @@ var DesktopOAuthFlow = class extends BaseOAuthFlow {
   }
 };
+// src/flows/magic-link-flow.ts
+var import_cross_fetch3 = __toESM(require("cross-fetch"), 1);
+var MagicLinkFlow = class extends BaseOAuthFlow {
+  constructor(config) {
+    super(config);
+    this.projectScope = config.projectScope || "lanonasis-maas";
+    this.platform = config.platform || "cli";
+  }
+  /**
+   * Main authenticate method - uses OTP code flow by default
+   * For interactive CLI usage, prefer using requestOTP() and verifyOTP() separately
+   */
+  async authenticate() {
+    throw new Error(
+      "MagicLinkFlow requires two-step authentication. Use requestOTP() + verifyOTP() for CLI, or requestMagicLink() for web."
+    );
+  }
+  // ============================================================================
+  // OTP Code Flow (for CLI, mobile - user enters code manually)
+  // ============================================================================
+  /**
+   * Request a 6-digit OTP code to be sent via email
+   * User will enter this code manually in the CLI
+   *
+   * @param email - User's email address
+   * @returns Response with success status and expiration time
+   */
+  async requestOTP(email) {
+    const response = await (0, import_cross_fetch3.default)(`${this.authBaseUrl}/v1/auth/otp/send`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        email: email.trim().toLowerCase(),
+        type: "email",
+        // Explicitly request 6-digit code, not magic link
+        platform: this.platform,
+        project_scope: this.projectScope
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      throw new Error(data.message || data.error || "Failed to send OTP");
+    }
+    return data;
+  }
+  /**
+   * Verify the OTP code entered by the user and get tokens
+   *
+   * @param email - User's email address (must match the one used in requestOTP)
+   * @param code - 6-digit OTP code from email
+   * @returns Token response with access_token, refresh_token, etc.
+   */
+  async verifyOTP(email, code) {
+    const response = await (0, import_cross_fetch3.default)(`${this.authBaseUrl}/v1/auth/otp/verify`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        email: email.trim().toLowerCase(),
+        token: code.trim(),
+        type: "email",
+        platform: this.platform,
+        project_scope: this.projectScope
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      throw new Error(data.message || data.error || "Invalid or expired OTP code");
+    }
+    return data;
+  }
+  /**
+   * Resend OTP code (rate limited)
+   *
+   * @param email - User's email address
+   * @returns Response with success status
+   */
+  async resendOTP(email) {
+    const response = await (0, import_cross_fetch3.default)(`${this.authBaseUrl}/v1/auth/otp/resend`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        email: email.trim().toLowerCase(),
+        type: "email",
+        platform: this.platform
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      if (response.status === 429) {
+        throw new Error("Rate limited. Please wait before requesting another code.");
+      }
+      throw new Error(data.message || data.error || "Failed to resend OTP");
+    }
+    return data;
+  }
+  // ============================================================================
+  // Magic Link Flow (for web, desktop - user clicks link in email)
+  // ============================================================================
+  /**
+   * Request a magic link to be sent via email
+   * User will click the link which redirects to your callback URL
+   *
+   * @param email - User's email address
+   * @param redirectUri - URL to redirect to after clicking the magic link
+   * @returns Response with success status
+   */
+  async requestMagicLink(email, redirectUri) {
+    const response = await (0, import_cross_fetch3.default)(`${this.authBaseUrl}/v1/auth/otp/send`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        email: email.trim().toLowerCase(),
+        type: "magiclink",
+        redirect_uri: redirectUri,
+        platform: this.platform,
+        project_scope: this.projectScope
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      throw new Error(data.message || data.error || "Failed to send magic link");
+    }
+    return data;
+  }
+  /**
+   * Alternative: Use the /v1/auth/magic-link endpoint (web-optimized)
+   * This endpoint provides better redirect handling for web apps
+   *
+   * @param email - User's email address
+   * @param redirectUri - URL to redirect to after authentication
+   * @param createUser - Whether to create a new user if email doesn't exist
+   */
+  async requestMagicLinkWeb(email, redirectUri, createUser = true) {
+    const response = await (0, import_cross_fetch3.default)(`${this.authBaseUrl}/v1/auth/magic-link`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        email: email.trim().toLowerCase(),
+        redirect_uri: redirectUri,
+        return_to: redirectUri,
+        // Alias for compatibility
+        project_scope: this.projectScope,
+        platform: "web",
+        create_user: createUser
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      throw new Error(data.message || data.error || "Failed to send magic link");
+    }
+    return data;
+  }
+  /**
+   * Exchange magic link token for auth-gateway tokens
+   * Called after user clicks the magic link and is redirected to your callback
+   *
+   * @param supabaseAccessToken - Access token from Supabase (from URL hash/query)
+   * @param state - State parameter from the callback URL
+   * @returns Token response with redirect URL
+   */
+  async exchangeMagicLinkToken(supabaseAccessToken, state) {
+    const response = await (0, import_cross_fetch3.default)(`${this.authBaseUrl}/v1/auth/magic-link/exchange`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${supabaseAccessToken}`
+      },
+      body: JSON.stringify({ state })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      throw new Error(data.message || data.error || "Magic link exchange failed");
+    }
+    return data;
+  }
+  // ============================================================================
+  // Utility Methods
+  // ============================================================================
+  /**
+   * Check if an email is valid format
+   */
+  static isValidEmail(email) {
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    return emailRegex.test(email.trim());
+  }
+  /**
+   * Check if an OTP code is valid format (6 digits)
+   */
+  static isValidOTPCode(code) {
+    return /^\d{6}$/.test(code.trim());
+  }
+};
+// src/flows/apikey-flow.ts
+var import_cross_fetch4 = __toESM(require("cross-fetch"), 1);
+var APIKeyFlow = class extends BaseOAuthFlow {
+  constructor(apiKey, authBaseUrl = "https://mcp.lanonasis.com") {
+    super({
+      clientId: "api-key-client",
+      authBaseUrl
+    });
+    this.apiKey = apiKey;
+  }
+  /**
+   * "Authenticate" by returning the API key as a virtual token
+   * The API key will be used directly in request headers
+   */
+  async authenticate() {
+    if (!this.apiKey || !this.apiKey.startsWith("lano_") && !this.apiKey.startsWith("vx_")) {
+      throw new Error(
+        'Invalid API key format. Must start with "lano_" or "vx_". Please regenerate your API key from the dashboard.'
+      );
+    }
+    if (this.apiKey.startsWith("vx_")) {
+      console.warn(
+        '\u26A0\uFE0F  DEPRECATION WARNING: API keys with "vx_" prefix are deprecated and will stop working soon. Please regenerate your API key from the dashboard to get a "lano_" prefixed key. Support for "vx_" keys will be removed in a future version.'
+      );
+    }
+    return {
+      access_token: this.apiKey,
+      token_type: "api-key",
+      expires_in: 0,
+      // API keys don't expire
+      issued_at: Date.now()
+    };
+  }
+  /**
+   * API keys don't need refresh
+   */
+  async refreshToken(refreshToken) {
+    throw new Error("API keys do not support token refresh");
+  }
+  /**
+   * Optional: Validate API key by making a test request
+   */
+  async validateAPIKey() {
+    try {
+      const response = await (0, import_cross_fetch4.default)(`${this.authBaseUrl}/api/v1/health`, {
+        headers: {
+          "x-api-key": this.apiKey
+        }
+      });
+      return response.ok;
+    } catch (error) {
+      console.error("API key validation failed:", error);
+      return false;
+    }
+  }
+};
 // src/storage/token-storage.ts
 var _fs = null;
 var _path = null;
@@ -1405,66 +1657,7 @@ var ApiKeyStorageWeb = class {
 };
 // src/client/mcp-client.ts
-var import_cross_fetch4 = __toESM(require("cross-fetch"), 1);
-// src/flows/apikey-flow.ts
-var import_cross_fetch3 = __toESM(require("cross-fetch"), 1);
-var APIKeyFlow = class extends BaseOAuthFlow {
-  constructor(apiKey, authBaseUrl = "https://mcp.lanonasis.com") {
-    super({
-      clientId: "api-key-client",
-      authBaseUrl
-    });
-    this.apiKey = apiKey;
-  }
-  /**
-   * "Authenticate" by returning the API key as a virtual token
-   * The API key will be used directly in request headers
-   */
-  async authenticate() {
-    if (!this.apiKey || !this.apiKey.startsWith("lano_") && !this.apiKey.startsWith("vx_")) {
-      throw new Error(
-        'Invalid API key format. Must start with "lano_" or "vx_". Please regenerate your API key from the dashboard.'
-      );
-    }
-    if (this.apiKey.startsWith("vx_")) {
-      console.warn(
-        '\u26A0\uFE0F  DEPRECATION WARNING: API keys with "vx_" prefix are deprecated and will stop working soon. Please regenerate your API key from the dashboard to get a "lano_" prefixed key. Support for "vx_" keys will be removed in a future version.'
-      );
-    }
-    return {
-      access_token: this.apiKey,
-      token_type: "api-key",
-      expires_in: 0,
-      // API keys don't expire
-      issued_at: Date.now()
-    };
-  }
-  /**
-   * API keys don't need refresh
-   */
-  async refreshToken(refreshToken) {
-    throw new Error("API keys do not support token refresh");
-  }
-  /**
-   * Optional: Validate API key by making a test request
-   */
-  async validateAPIKey() {
-    try {
-      const response = await (0, import_cross_fetch3.default)(`${this.config.authBaseUrl}/api/v1/health`, {
-        headers: {
-          "x-api-key": this.apiKey
-        }
-      });
-      return response.ok;
-    } catch (error) {
-      console.error("API key validation failed:", error);
-      return false;
-    }
-  }
-};
-// src/client/mcp-client.ts
+var import_cross_fetch5 = __toESM(require("cross-fetch"), 1);
 var MCPClient = class {
   constructor(config = {}) {
     // ← NEW: Track auth mode
@@ -1693,7 +1886,7 @@ var MCPClient = class {
     } else {
       headers["Authorization"] = `Bearer ${this.accessToken}`;
     }
-    const response = await (0, import_cross_fetch4.default)(`${this.config.mcpEndpoint}/api`, {
+    const response = await (0, import_cross_fetch5.default)(`${this.config.mcpEndpoint}/api`, {
       method: "POST",
       headers,
       body: JSON.stringify({
@@ -1794,7 +1987,7 @@ var MCPClient = class {
 };
 // src/client/auth-gateway-client.ts
-var import_cross_fetch5 = __toESM(require("cross-fetch"), 1);
+var import_cross_fetch6 = __toESM(require("cross-fetch"), 1);
 var GatewayOAuthFlow = class extends BaseOAuthFlow {
   async authenticate() {
     throw new Error("Interactive authentication is not supported in AuthGatewayClient.");
@@ -1958,7 +2151,7 @@ var AuthGatewayClient = class {
     return "jwt";
   }
   async requestJson(path, options) {
-    const response = await (0, import_cross_fetch5.default)(`${this.authBaseUrl}${path.startsWith("/") ? path : `/${path}`}`, options);
+    const response = await (0, import_cross_fetch6.default)(`${this.authBaseUrl}${path.startsWith("/") ? path : `/${path}`}`, options);
     const text = await response.text();
     let data = null;
     if (text) {

package/dist/index.d.cts CHANGED Viewed

@@ -13,6 +13,153 @@ declare class TerminalOAuthFlow extends BaseOAuthFlow {
     private checkDeviceCode;
 }
+/**
+ * Magic Link / OTP Flow
+ *
+ * Passwordless authentication supporting two modes:
+ * 1. OTP Code (type: 'email') - User receives 6-digit code to enter manually (CLI, mobile)
+ * 2. Magic Link (type: 'magiclink') - User clicks link in email (web, desktop)
+ *
+ * Usage:
+ * ```typescript
+ * // OTP Code Flow (CLI)
+ * const flow = new MagicLinkFlow({ clientId: 'my-app' });
+ * await flow.requestOTP('user@example.com');
+ * const tokens = await flow.verifyOTP('user@example.com', '123456');
+ *
+ * // Magic Link Flow (Web)
+ * const flow = new MagicLinkFlow({ clientId: 'my-app' });
+ * await flow.requestMagicLink('user@example.com', 'https://myapp.com/auth/callback');
+ * // User clicks link in email, then:
+ * const tokens = await flow.exchangeMagicLinkToken(supabaseAccessToken, state);
+ * ```
+ */
+type OTPType = 'email' | 'magiclink';
+type Platform = 'cli' | 'web' | 'mcp' | 'api';
+interface MagicLinkConfig extends OAuthConfig {
+    projectScope?: string;
+    platform?: Platform;
+}
+interface OTPSendResponse {
+    success: boolean;
+    message: string;
+    type: OTPType;
+    expires_in: number;
+}
+interface OTPVerifyResponse extends TokenResponse {
+    auth_method: 'otp' | 'magic_link';
+    user?: {
+        id: string;
+        email: string;
+        role: string;
+    };
+}
+interface MagicLinkExchangeResponse extends TokenResponse {
+    redirect_to?: string;
+    user?: {
+        id: string;
+        email?: string;
+        role?: string;
+        project_scope?: string;
+    };
+}
+declare class MagicLinkFlow extends BaseOAuthFlow {
+    private readonly projectScope;
+    private readonly platform;
+    constructor(config: MagicLinkConfig);
+    /**
+     * Main authenticate method - uses OTP code flow by default
+     * For interactive CLI usage, prefer using requestOTP() and verifyOTP() separately
+     */
+    authenticate(): Promise<TokenResponse>;
+    /**
+     * Request a 6-digit OTP code to be sent via email
+     * User will enter this code manually in the CLI
+     *
+     * @param email - User's email address
+     * @returns Response with success status and expiration time
+     */
+    requestOTP(email: string): Promise<OTPSendResponse>;
+    /**
+     * Verify the OTP code entered by the user and get tokens
+     *
+     * @param email - User's email address (must match the one used in requestOTP)
+     * @param code - 6-digit OTP code from email
+     * @returns Token response with access_token, refresh_token, etc.
+     */
+    verifyOTP(email: string, code: string): Promise<OTPVerifyResponse>;
+    /**
+     * Resend OTP code (rate limited)
+     *
+     * @param email - User's email address
+     * @returns Response with success status
+     */
+    resendOTP(email: string): Promise<OTPSendResponse>;
+    /**
+     * Request a magic link to be sent via email
+     * User will click the link which redirects to your callback URL
+     *
+     * @param email - User's email address
+     * @param redirectUri - URL to redirect to after clicking the magic link
+     * @returns Response with success status
+     */
+    requestMagicLink(email: string, redirectUri: string): Promise<OTPSendResponse>;
+    /**
+     * Alternative: Use the /v1/auth/magic-link endpoint (web-optimized)
+     * This endpoint provides better redirect handling for web apps
+     *
+     * @param email - User's email address
+     * @param redirectUri - URL to redirect to after authentication
+     * @param createUser - Whether to create a new user if email doesn't exist
+     */
+    requestMagicLinkWeb(email: string, redirectUri: string, createUser?: boolean): Promise<{
+        success: boolean;
+        message: string;
+    }>;
+    /**
+     * Exchange magic link token for auth-gateway tokens
+     * Called after user clicks the magic link and is redirected to your callback
+     *
+     * @param supabaseAccessToken - Access token from Supabase (from URL hash/query)
+     * @param state - State parameter from the callback URL
+     * @returns Token response with redirect URL
+     */
+    exchangeMagicLinkToken(supabaseAccessToken: string, state: string): Promise<MagicLinkExchangeResponse>;
+    /**
+     * Check if an email is valid format
+     */
+    static isValidEmail(email: string): boolean;
+    /**
+     * Check if an OTP code is valid format (6 digits)
+     */
+    static isValidOTPCode(code: string): boolean;
+}
+/**
+ * API Key Authentication Flow
+ *
+ * This flow uses a direct API key for authentication instead of OAuth.
+ * The API key is sent via x-api-key header to the backend.
+ */
+declare class APIKeyFlow extends BaseOAuthFlow {
+    private apiKey;
+    constructor(apiKey: string, authBaseUrl?: string);
+    /**
+     * "Authenticate" by returning the API key as a virtual token
+     * The API key will be used directly in request headers
+     */
+    authenticate(): Promise<TokenResponse>;
+    /**
+     * API keys don't need refresh
+     */
+    refreshToken(refreshToken: string): Promise<TokenResponse>;
+    /**
+     * Optional: Validate API key by making a test request
+     */
+    validateAPIKey(): Promise<boolean>;
+}
 interface MCPClientConfig extends Partial<OAuthConfig> {
     mcpEndpoint?: string;
     autoRefresh?: boolean;
@@ -51,4 +198,4 @@ declare class MCPClient {
     deleteMemory(id: string): Promise<void>;
 }
-export { BaseOAuthFlow, MCPClient, type MCPClientConfig, OAuthConfig, TerminalOAuthFlow, TokenResponse, TokenStorageAdapter };
+export { APIKeyFlow, BaseOAuthFlow, MCPClient, type MCPClientConfig, type MagicLinkConfig, type MagicLinkExchangeResponse, MagicLinkFlow, OAuthConfig, type OTPSendResponse, type OTPType, type OTPVerifyResponse, type Platform, TerminalOAuthFlow, TokenResponse, TokenStorageAdapter };

package/dist/index.d.ts CHANGED Viewed

@@ -13,6 +13,153 @@ declare class TerminalOAuthFlow extends BaseOAuthFlow {
     private checkDeviceCode;
 }
+/**
+ * Magic Link / OTP Flow
+ *
+ * Passwordless authentication supporting two modes:
+ * 1. OTP Code (type: 'email') - User receives 6-digit code to enter manually (CLI, mobile)
+ * 2. Magic Link (type: 'magiclink') - User clicks link in email (web, desktop)
+ *
+ * Usage:
+ * ```typescript
+ * // OTP Code Flow (CLI)
+ * const flow = new MagicLinkFlow({ clientId: 'my-app' });
+ * await flow.requestOTP('user@example.com');
+ * const tokens = await flow.verifyOTP('user@example.com', '123456');
+ *
+ * // Magic Link Flow (Web)
+ * const flow = new MagicLinkFlow({ clientId: 'my-app' });
+ * await flow.requestMagicLink('user@example.com', 'https://myapp.com/auth/callback');
+ * // User clicks link in email, then:
+ * const tokens = await flow.exchangeMagicLinkToken(supabaseAccessToken, state);
+ * ```
+ */
+type OTPType = 'email' | 'magiclink';
+type Platform = 'cli' | 'web' | 'mcp' | 'api';
+interface MagicLinkConfig extends OAuthConfig {
+    projectScope?: string;
+    platform?: Platform;
+}
+interface OTPSendResponse {
+    success: boolean;
+    message: string;
+    type: OTPType;
+    expires_in: number;
+}
+interface OTPVerifyResponse extends TokenResponse {
+    auth_method: 'otp' | 'magic_link';
+    user?: {
+        id: string;
+        email: string;
+        role: string;
+    };
+}
+interface MagicLinkExchangeResponse extends TokenResponse {
+    redirect_to?: string;
+    user?: {
+        id: string;
+        email?: string;
+        role?: string;
+        project_scope?: string;
+    };
+}
+declare class MagicLinkFlow extends BaseOAuthFlow {
+    private readonly projectScope;
+    private readonly platform;
+    constructor(config: MagicLinkConfig);
+    /**
+     * Main authenticate method - uses OTP code flow by default
+     * For interactive CLI usage, prefer using requestOTP() and verifyOTP() separately
+     */
+    authenticate(): Promise<TokenResponse>;
+    /**
+     * Request a 6-digit OTP code to be sent via email
+     * User will enter this code manually in the CLI
+     *
+     * @param email - User's email address
+     * @returns Response with success status and expiration time
+     */
+    requestOTP(email: string): Promise<OTPSendResponse>;
+    /**
+     * Verify the OTP code entered by the user and get tokens
+     *
+     * @param email - User's email address (must match the one used in requestOTP)
+     * @param code - 6-digit OTP code from email
+     * @returns Token response with access_token, refresh_token, etc.
+     */
+    verifyOTP(email: string, code: string): Promise<OTPVerifyResponse>;
+    /**
+     * Resend OTP code (rate limited)
+     *
+     * @param email - User's email address
+     * @returns Response with success status
+     */
+    resendOTP(email: string): Promise<OTPSendResponse>;
+    /**
+     * Request a magic link to be sent via email
+     * User will click the link which redirects to your callback URL
+     *
+     * @param email - User's email address
+     * @param redirectUri - URL to redirect to after clicking the magic link
+     * @returns Response with success status
+     */
+    requestMagicLink(email: string, redirectUri: string): Promise<OTPSendResponse>;
+    /**
+     * Alternative: Use the /v1/auth/magic-link endpoint (web-optimized)
+     * This endpoint provides better redirect handling for web apps
+     *
+     * @param email - User's email address
+     * @param redirectUri - URL to redirect to after authentication
+     * @param createUser - Whether to create a new user if email doesn't exist
+     */
+    requestMagicLinkWeb(email: string, redirectUri: string, createUser?: boolean): Promise<{
+        success: boolean;
+        message: string;
+    }>;
+    /**
+     * Exchange magic link token for auth-gateway tokens
+     * Called after user clicks the magic link and is redirected to your callback
+     *
+     * @param supabaseAccessToken - Access token from Supabase (from URL hash/query)
+     * @param state - State parameter from the callback URL
+     * @returns Token response with redirect URL
+     */
+    exchangeMagicLinkToken(supabaseAccessToken: string, state: string): Promise<MagicLinkExchangeResponse>;
+    /**
+     * Check if an email is valid format
+     */
+    static isValidEmail(email: string): boolean;
+    /**
+     * Check if an OTP code is valid format (6 digits)
+     */
+    static isValidOTPCode(code: string): boolean;
+}
+/**
+ * API Key Authentication Flow
+ *
+ * This flow uses a direct API key for authentication instead of OAuth.
+ * The API key is sent via x-api-key header to the backend.
+ */
+declare class APIKeyFlow extends BaseOAuthFlow {
+    private apiKey;
+    constructor(apiKey: string, authBaseUrl?: string);
+    /**
+     * "Authenticate" by returning the API key as a virtual token
+     * The API key will be used directly in request headers
+     */
+    authenticate(): Promise<TokenResponse>;
+    /**
+     * API keys don't need refresh
+     */
+    refreshToken(refreshToken: string): Promise<TokenResponse>;
+    /**
+     * Optional: Validate API key by making a test request
+     */
+    validateAPIKey(): Promise<boolean>;
+}
 interface MCPClientConfig extends Partial<OAuthConfig> {
     mcpEndpoint?: string;
     autoRefresh?: boolean;
@@ -51,4 +198,4 @@ declare class MCPClient {
     deleteMemory(id: string): Promise<void>;
 }
-export { BaseOAuthFlow, MCPClient, type MCPClientConfig, OAuthConfig, TerminalOAuthFlow, TokenResponse, TokenStorageAdapter };
+export { APIKeyFlow, BaseOAuthFlow, MCPClient, type MCPClientConfig, type MagicLinkConfig, type MagicLinkExchangeResponse, MagicLinkFlow, OAuthConfig, type OTPSendResponse, type OTPType, type OTPVerifyResponse, type Platform, TerminalOAuthFlow, TokenResponse, TokenStorageAdapter };

package/dist/index.mjs CHANGED Viewed

@@ -331,6 +331,256 @@ var DesktopOAuthFlow = class extends BaseOAuthFlow {
   }
 };
+// src/flows/magic-link-flow.ts
+import fetch3 from "cross-fetch";
+var MagicLinkFlow = class extends BaseOAuthFlow {
+  constructor(config) {
+    super(config);
+    this.projectScope = config.projectScope || "lanonasis-maas";
+    this.platform = config.platform || "cli";
+  }
+  /**
+   * Main authenticate method - uses OTP code flow by default
+   * For interactive CLI usage, prefer using requestOTP() and verifyOTP() separately
+   */
+  async authenticate() {
+    throw new Error(
+      "MagicLinkFlow requires two-step authentication. Use requestOTP() + verifyOTP() for CLI, or requestMagicLink() for web."
+    );
+  }
+  // ============================================================================
+  // OTP Code Flow (for CLI, mobile - user enters code manually)
+  // ============================================================================
+  /**
+   * Request a 6-digit OTP code to be sent via email
+   * User will enter this code manually in the CLI
+   *
+   * @param email - User's email address
+   * @returns Response with success status and expiration time
+   */
+  async requestOTP(email) {
+    const response = await fetch3(`${this.authBaseUrl}/v1/auth/otp/send`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        email: email.trim().toLowerCase(),
+        type: "email",
+        // Explicitly request 6-digit code, not magic link
+        platform: this.platform,
+        project_scope: this.projectScope
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      throw new Error(data.message || data.error || "Failed to send OTP");
+    }
+    return data;
+  }
+  /**
+   * Verify the OTP code entered by the user and get tokens
+   *
+   * @param email - User's email address (must match the one used in requestOTP)
+   * @param code - 6-digit OTP code from email
+   * @returns Token response with access_token, refresh_token, etc.
+   */
+  async verifyOTP(email, code) {
+    const response = await fetch3(`${this.authBaseUrl}/v1/auth/otp/verify`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        email: email.trim().toLowerCase(),
+        token: code.trim(),
+        type: "email",
+        platform: this.platform,
+        project_scope: this.projectScope
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      throw new Error(data.message || data.error || "Invalid or expired OTP code");
+    }
+    return data;
+  }
+  /**
+   * Resend OTP code (rate limited)
+   *
+   * @param email - User's email address
+   * @returns Response with success status
+   */
+  async resendOTP(email) {
+    const response = await fetch3(`${this.authBaseUrl}/v1/auth/otp/resend`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        email: email.trim().toLowerCase(),
+        type: "email",
+        platform: this.platform
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      if (response.status === 429) {
+        throw new Error("Rate limited. Please wait before requesting another code.");
+      }
+      throw new Error(data.message || data.error || "Failed to resend OTP");
+    }
+    return data;
+  }
+  // ============================================================================
+  // Magic Link Flow (for web, desktop - user clicks link in email)
+  // ============================================================================
+  /**
+   * Request a magic link to be sent via email
+   * User will click the link which redirects to your callback URL
+   *
+   * @param email - User's email address
+   * @param redirectUri - URL to redirect to after clicking the magic link
+   * @returns Response with success status
+   */
+  async requestMagicLink(email, redirectUri) {
+    const response = await fetch3(`${this.authBaseUrl}/v1/auth/otp/send`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        email: email.trim().toLowerCase(),
+        type: "magiclink",
+        redirect_uri: redirectUri,
+        platform: this.platform,
+        project_scope: this.projectScope
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      throw new Error(data.message || data.error || "Failed to send magic link");
+    }
+    return data;
+  }
+  /**
+   * Alternative: Use the /v1/auth/magic-link endpoint (web-optimized)
+   * This endpoint provides better redirect handling for web apps
+   *
+   * @param email - User's email address
+   * @param redirectUri - URL to redirect to after authentication
+   * @param createUser - Whether to create a new user if email doesn't exist
+   */
+  async requestMagicLinkWeb(email, redirectUri, createUser = true) {
+    const response = await fetch3(`${this.authBaseUrl}/v1/auth/magic-link`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        email: email.trim().toLowerCase(),
+        redirect_uri: redirectUri,
+        return_to: redirectUri,
+        // Alias for compatibility
+        project_scope: this.projectScope,
+        platform: "web",
+        create_user: createUser
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      throw new Error(data.message || data.error || "Failed to send magic link");
+    }
+    return data;
+  }
+  /**
+   * Exchange magic link token for auth-gateway tokens
+   * Called after user clicks the magic link and is redirected to your callback
+   *
+   * @param supabaseAccessToken - Access token from Supabase (from URL hash/query)
+   * @param state - State parameter from the callback URL
+   * @returns Token response with redirect URL
+   */
+  async exchangeMagicLinkToken(supabaseAccessToken, state) {
+    const response = await fetch3(`${this.authBaseUrl}/v1/auth/magic-link/exchange`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${supabaseAccessToken}`
+      },
+      body: JSON.stringify({ state })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      throw new Error(data.message || data.error || "Magic link exchange failed");
+    }
+    return data;
+  }
+  // ============================================================================
+  // Utility Methods
+  // ============================================================================
+  /**
+   * Check if an email is valid format
+   */
+  static isValidEmail(email) {
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    return emailRegex.test(email.trim());
+  }
+  /**
+   * Check if an OTP code is valid format (6 digits)
+   */
+  static isValidOTPCode(code) {
+    return /^\d{6}$/.test(code.trim());
+  }
+};
+// src/flows/apikey-flow.ts
+import fetch4 from "cross-fetch";
+var APIKeyFlow = class extends BaseOAuthFlow {
+  constructor(apiKey, authBaseUrl = "https://mcp.lanonasis.com") {
+    super({
+      clientId: "api-key-client",
+      authBaseUrl
+    });
+    this.apiKey = apiKey;
+  }
+  /**
+   * "Authenticate" by returning the API key as a virtual token
+   * The API key will be used directly in request headers
+   */
+  async authenticate() {
+    if (!this.apiKey || !this.apiKey.startsWith("lano_") && !this.apiKey.startsWith("vx_")) {
+      throw new Error(
+        'Invalid API key format. Must start with "lano_" or "vx_". Please regenerate your API key from the dashboard.'
+      );
+    }
+    if (this.apiKey.startsWith("vx_")) {
+      console.warn(
+        '\u26A0\uFE0F  DEPRECATION WARNING: API keys with "vx_" prefix are deprecated and will stop working soon. Please regenerate your API key from the dashboard to get a "lano_" prefixed key. Support for "vx_" keys will be removed in a future version.'
+      );
+    }
+    return {
+      access_token: this.apiKey,
+      token_type: "api-key",
+      expires_in: 0,
+      // API keys don't expire
+      issued_at: Date.now()
+    };
+  }
+  /**
+   * API keys don't need refresh
+   */
+  async refreshToken(refreshToken) {
+    throw new Error("API keys do not support token refresh");
+  }
+  /**
+   * Optional: Validate API key by making a test request
+   */
+  async validateAPIKey() {
+    try {
+      const response = await fetch4(`${this.authBaseUrl}/api/v1/health`, {
+        headers: {
+          "x-api-key": this.apiKey
+        }
+      });
+      return response.ok;
+    } catch (error) {
+      console.error("API key validation failed:", error);
+      return false;
+    }
+  }
+};
 // src/storage/token-storage.ts
 var _fs = null;
 var _path = null;
@@ -1368,66 +1618,7 @@ var ApiKeyStorageWeb = class {
 };
 // src/client/mcp-client.ts
-import fetch4 from "cross-fetch";
-// src/flows/apikey-flow.ts
-import fetch3 from "cross-fetch";
-var APIKeyFlow = class extends BaseOAuthFlow {
-  constructor(apiKey, authBaseUrl = "https://mcp.lanonasis.com") {
-    super({
-      clientId: "api-key-client",
-      authBaseUrl
-    });
-    this.apiKey = apiKey;
-  }
-  /**
-   * "Authenticate" by returning the API key as a virtual token
-   * The API key will be used directly in request headers
-   */
-  async authenticate() {
-    if (!this.apiKey || !this.apiKey.startsWith("lano_") && !this.apiKey.startsWith("vx_")) {
-      throw new Error(
-        'Invalid API key format. Must start with "lano_" or "vx_". Please regenerate your API key from the dashboard.'
-      );
-    }
-    if (this.apiKey.startsWith("vx_")) {
-      console.warn(
-        '\u26A0\uFE0F  DEPRECATION WARNING: API keys with "vx_" prefix are deprecated and will stop working soon. Please regenerate your API key from the dashboard to get a "lano_" prefixed key. Support for "vx_" keys will be removed in a future version.'
-      );
-    }
-    return {
-      access_token: this.apiKey,
-      token_type: "api-key",
-      expires_in: 0,
-      // API keys don't expire
-      issued_at: Date.now()
-    };
-  }
-  /**
-   * API keys don't need refresh
-   */
-  async refreshToken(refreshToken) {
-    throw new Error("API keys do not support token refresh");
-  }
-  /**
-   * Optional: Validate API key by making a test request
-   */
-  async validateAPIKey() {
-    try {
-      const response = await fetch3(`${this.config.authBaseUrl}/api/v1/health`, {
-        headers: {
-          "x-api-key": this.apiKey
-        }
-      });
-      return response.ok;
-    } catch (error) {
-      console.error("API key validation failed:", error);
-      return false;
-    }
-  }
-};
-// src/client/mcp-client.ts
+import fetch5 from "cross-fetch";
 var MCPClient = class {
   constructor(config = {}) {
     // ← NEW: Track auth mode
@@ -1656,7 +1847,7 @@ var MCPClient = class {
     } else {
       headers["Authorization"] = `Bearer ${this.accessToken}`;
     }
-    const response = await fetch4(`${this.config.mcpEndpoint}/api`, {
+    const response = await fetch5(`${this.config.mcpEndpoint}/api`, {
       method: "POST",
       headers,
       body: JSON.stringify({
@@ -1757,7 +1948,7 @@ var MCPClient = class {
 };
 // src/client/auth-gateway-client.ts
-import fetch5 from "cross-fetch";
+import fetch6 from "cross-fetch";
 var GatewayOAuthFlow = class extends BaseOAuthFlow {
   async authenticate() {
     throw new Error("Interactive authentication is not supported in AuthGatewayClient.");
@@ -1921,7 +2112,7 @@ var AuthGatewayClient = class {
     return "jwt";
   }
   async requestJson(path, options) {
-    const response = await fetch5(`${this.authBaseUrl}${path.startsWith("/") ? path : `/${path}`}`, options);
+    const response = await fetch6(`${this.authBaseUrl}${path.startsWith("/") ? path : `/${path}`}`, options);
     const text = await response.text();
     let data = null;
     if (text) {
@@ -1942,12 +2133,14 @@ var AuthGatewayClient = class {
   }
 };
 export {
+  APIKeyFlow,
   ApiKeyStorage,
   ApiKeyStorageWeb,
   AuthGatewayClient,
   BaseOAuthFlow,
   DesktopOAuthFlow,
   MCPClient,
+  MagicLinkFlow,
   TerminalOAuthFlow,
   TokenStorage,
   TokenStorageWeb

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lanonasis/oauth-client",
-  "version": "1.2.7",
+  "version": "1.2.8",
   "type": "module",
   "description": "OAuth and API Key authentication client for Lan Onasis MCP integration",
   "license": "MIT",