@lanonasis/oauth-client 1.2.7 → 2.0.0

package/README.md

@@ -126,5 +126,24 @@ const hashed = await apiKeys.getApiKey(); // returns sha256 hex digest
 - `README.md`
 - `LICENSE`
 
+## Auth-Gateway Compatibility
+
+This SDK implements client-side equivalents of the auth-gateway's authentication methods:
+
+| Auth-Gateway Endpoint | SDK Class | Use Case |
+|-----------------------|-----------|----------|
+| `POST /oauth/device` | `TerminalOAuthFlow` | CLI/terminal apps |
+| `GET /oauth/authorize` | `DesktopOAuthFlow` | Desktop apps (Electron) |
+| `POST /v1/auth/otp/*` | `MagicLinkFlow` | Mobile/passwordless |
+| `X-API-Key` header | `APIKeyFlow` | Server-to-server |
+| `MCPClient` | Combined | Auto-detects best method |
+
+### Methods NOT Exposed (Security)
+- Email/Password: Server-rendered form only
+- Admin Bypass: Internal emergency access
+- Supabase OAuth 2.1: Internal Supabase integration
+
+See [auth-gateway/AUTHENTICATION-METHODS.md](../../apps/onasis-core/services/auth-gateway/AUTHENTICATION-METHODS.md) for complete server-side documentation.
+
 ## License
 MIT © Lan Onasis

package/dist/browser.cjs

@@ -433,7 +433,7 @@ var APIKeyFlow = class extends BaseOAuthFlow {
    */
   async validateAPIKey() {
     try {
-      const response = await (0, import_cross_fetch2.default)(`${this.config.authBaseUrl}/api/v1/health`, {
+      const response = await (0, import_cross_fetch2.default)(`${this.authBaseUrl}/api/v1/health`, {
         headers: {
           "x-api-key": this.apiKey
         }

package/dist/browser.mjs

@@ -399,7 +399,7 @@ var APIKeyFlow = class extends BaseOAuthFlow {
    */
   async validateAPIKey() {
     try {
-      const response = await fetch2(`${this.config.authBaseUrl}/api/v1/health`, {
+      const response = await fetch2(`${this.authBaseUrl}/api/v1/health`, {
         headers: {
           "x-api-key": this.apiKey
         }

package/dist/constants-BOZ6jJU4.d.cts

@@ -0,0 +1,110 @@
+/**
+ * React-specific types for SSO authentication
+ * @module @lanonasis/oauth-client/react
+ */
+/**
+ * SSO User information from the lanonasis_user cookie
+ */
+interface SSOUser {
+    id: string;
+    email: string;
+    role: string;
+    name?: string;
+    avatar_url?: string;
+}
+/**
+ * SSO authentication state
+ */
+interface SSOState {
+    /** Whether the user is authenticated */
+    isAuthenticated: boolean;
+    /** Whether the auth state is being determined */
+    isLoading: boolean;
+    /** User information if authenticated */
+    user: SSOUser | null;
+    /** Error message if auth check failed */
+    error: string | null;
+}
+/**
+ * Configuration for the SSO hook
+ */
+interface SSOConfig {
+    /** Auth gateway URL (default: https://auth.lanonasis.com) */
+    authGatewayUrl?: string;
+    /** Cookie domain (default: .lanonasis.com) */
+    cookieDomain?: string;
+    /** Callback when auth state changes */
+    onAuthChange?: (state: SSOState) => void;
+    /** Polling interval in ms for cookie changes (default: 30000) */
+    pollInterval?: number;
+}
+/**
+ * Configuration for Supabase-to-cookie sync
+ */
+interface SSOSyncConfig {
+    /** Auth gateway URL (default: https://auth.lanonasis.com) */
+    authGatewayUrl?: string;
+    /** Project scope for multi-tenant auth */
+    projectScope?: string;
+    /** Callback when sync completes */
+    onSyncComplete?: (success: boolean) => void;
+}
+/**
+ * Supabase session interface (minimal for what we need)
+ */
+interface SupabaseSession {
+    access_token: string;
+    refresh_token?: string;
+}
+/**
+ * Return type for useSSO hook
+ */
+interface UseSSOReturn extends SSOState {
+    /** Manually refresh auth state */
+    refresh: () => void;
+    /** Logout and redirect to auth gateway */
+    logout: (returnTo?: string) => void;
+    /** Get login URL with optional return URL */
+    getLoginUrl: (returnTo?: string) => string;
+}
+/**
+ * Return type for useSSOSync hook
+ */
+interface UseSSOSyncReturn {
+    /** Manually trigger sync */
+    sync: () => Promise<boolean>;
+    /** Sync with gateway directly */
+    syncWithGateway: (session: SupabaseSession) => Promise<boolean>;
+}
+
+/**
+ * Cookie constants and utilities shared between browser and server
+ * @module @lanonasis/oauth-client/cookies
+ */
+/**
+ * Cookie names used by Lan Onasis auth system
+ */
+declare const COOKIE_NAMES: {
+    /** HttpOnly JWT session token */
+    readonly SESSION: "lanonasis_session";
+    /** Readable user metadata (JSON) */
+    readonly USER: "lanonasis_user";
+};
+/**
+ * Default cookie domain for cross-subdomain SSO
+ */
+declare const DEFAULT_COOKIE_DOMAIN = ".lanonasis.com";
+/**
+ * Default auth gateway URL
+ */
+declare const DEFAULT_AUTH_GATEWAY = "https://auth.lanonasis.com";
+/**
+ * Default polling interval for cookie changes (30 seconds)
+ */
+declare const DEFAULT_POLL_INTERVAL = 30000;
+/**
+ * Default project scope for multi-tenant auth
+ */
+declare const DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
+
+export { COOKIE_NAMES as C, DEFAULT_AUTH_GATEWAY as D, type SSOConfig as S, type UseSSOReturn as U, type SupabaseSession as a, type SSOSyncConfig as b, type UseSSOSyncReturn as c, type SSOUser as d, type SSOState as e, DEFAULT_COOKIE_DOMAIN as f, DEFAULT_POLL_INTERVAL as g, DEFAULT_PROJECT_SCOPE as h };

package/dist/constants-BOZ6jJU4.d.ts

@@ -0,0 +1,110 @@
+/**
+ * React-specific types for SSO authentication
+ * @module @lanonasis/oauth-client/react
+ */
+/**
+ * SSO User information from the lanonasis_user cookie
+ */
+interface SSOUser {
+    id: string;
+    email: string;
+    role: string;
+    name?: string;
+    avatar_url?: string;
+}
+/**
+ * SSO authentication state
+ */
+interface SSOState {
+    /** Whether the user is authenticated */
+    isAuthenticated: boolean;
+    /** Whether the auth state is being determined */
+    isLoading: boolean;
+    /** User information if authenticated */
+    user: SSOUser | null;
+    /** Error message if auth check failed */
+    error: string | null;
+}
+/**
+ * Configuration for the SSO hook
+ */
+interface SSOConfig {
+    /** Auth gateway URL (default: https://auth.lanonasis.com) */
+    authGatewayUrl?: string;
+    /** Cookie domain (default: .lanonasis.com) */
+    cookieDomain?: string;
+    /** Callback when auth state changes */
+    onAuthChange?: (state: SSOState) => void;
+    /** Polling interval in ms for cookie changes (default: 30000) */
+    pollInterval?: number;
+}
+/**
+ * Configuration for Supabase-to-cookie sync
+ */
+interface SSOSyncConfig {
+    /** Auth gateway URL (default: https://auth.lanonasis.com) */
+    authGatewayUrl?: string;
+    /** Project scope for multi-tenant auth */
+    projectScope?: string;
+    /** Callback when sync completes */
+    onSyncComplete?: (success: boolean) => void;
+}
+/**
+ * Supabase session interface (minimal for what we need)
+ */
+interface SupabaseSession {
+    access_token: string;
+    refresh_token?: string;
+}
+/**
+ * Return type for useSSO hook
+ */
+interface UseSSOReturn extends SSOState {
+    /** Manually refresh auth state */
+    refresh: () => void;
+    /** Logout and redirect to auth gateway */
+    logout: (returnTo?: string) => void;
+    /** Get login URL with optional return URL */
+    getLoginUrl: (returnTo?: string) => string;
+}
+/**
+ * Return type for useSSOSync hook
+ */
+interface UseSSOSyncReturn {
+    /** Manually trigger sync */
+    sync: () => Promise<boolean>;
+    /** Sync with gateway directly */
+    syncWithGateway: (session: SupabaseSession) => Promise<boolean>;
+}
+
+/**
+ * Cookie constants and utilities shared between browser and server
+ * @module @lanonasis/oauth-client/cookies
+ */
+/**
+ * Cookie names used by Lan Onasis auth system
+ */
+declare const COOKIE_NAMES: {
+    /** HttpOnly JWT session token */
+    readonly SESSION: "lanonasis_session";
+    /** Readable user metadata (JSON) */
+    readonly USER: "lanonasis_user";
+};
+/**
+ * Default cookie domain for cross-subdomain SSO
+ */
+declare const DEFAULT_COOKIE_DOMAIN = ".lanonasis.com";
+/**
+ * Default auth gateway URL
+ */
+declare const DEFAULT_AUTH_GATEWAY = "https://auth.lanonasis.com";
+/**
+ * Default polling interval for cookie changes (30 seconds)
+ */
+declare const DEFAULT_POLL_INTERVAL = 30000;
+/**
+ * Default project scope for multi-tenant auth
+ */
+declare const DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
+
+export { COOKIE_NAMES as C, DEFAULT_AUTH_GATEWAY as D, type SSOConfig as S, type UseSSOReturn as U, type SupabaseSession as a, type SSOSyncConfig as b, type UseSSOSyncReturn as c, type SSOUser as d, type SSOState as e, DEFAULT_COOKIE_DOMAIN as f, DEFAULT_POLL_INTERVAL as g, DEFAULT_PROJECT_SCOPE as h };

package/dist/index.cjs

@@ -30,12 +30,14 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  APIKeyFlow: () => APIKeyFlow,
   ApiKeyStorage: () => ApiKeyStorage,
   ApiKeyStorageWeb: () => ApiKeyStorageWeb,
   AuthGatewayClient: () => AuthGatewayClient,
   BaseOAuthFlow: () => BaseOAuthFlow,
   DesktopOAuthFlow: () => DesktopOAuthFlow,
   MCPClient: () => MCPClient,
+  MagicLinkFlow: () => MagicLinkFlow,
   TerminalOAuthFlow: () => TerminalOAuthFlow,
   TokenStorage: () => TokenStorage,
   TokenStorageWeb: () => TokenStorageWeb
@@ -368,6 +370,272 @@ var DesktopOAuthFlow = class extends BaseOAuthFlow {
   }
 };
 
+// src/flows/magic-link-flow.ts
+var import_cross_fetch3 = __toESM(require("cross-fetch"), 1);
+var MagicLinkFlow = class extends BaseOAuthFlow {
+  constructor(config) {
+    super(config);
+    this.projectScope = config.projectScope || "lanonasis-maas";
+    this.platform = config.platform || "cli";
+  }
+  /**
+   * Main authenticate method - uses OTP code flow by default
+   * For interactive CLI usage, prefer using requestOTP() and verifyOTP() separately
+   */
+  async authenticate() {
+    throw new Error(
+      "MagicLinkFlow requires two-step authentication. Use requestOTP() + verifyOTP() for CLI, or requestMagicLink() for web."
+    );
+  }
+  // ============================================================================
+  // OTP Code Flow (for CLI, mobile - user enters code manually)
+  // ============================================================================
+  /**
+   * Request a 6-digit OTP code to be sent via email
+   * User will enter this code manually in the CLI
+   *
+   * @param email - User's email address
+   * @returns Response with success status and expiration time
+   */
+  async requestOTP(email) {
+    if (typeof email !== "string" || !email.trim()) {
+      throw new Error("Invalid email: a non-empty email address is required to request an OTP.");
+    }
+    const normalizedEmail = email.trim().toLowerCase();
+    const response = await (0, import_cross_fetch3.default)(`${this.authBaseUrl}/v1/auth/otp/send`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        email: normalizedEmail,
+        type: "email",
+        // Explicitly request 6-digit code, not magic link
+        platform: this.platform,
+        project_scope: this.projectScope
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      throw new Error(data.message || data.error || "Failed to send OTP");
+    }
+    return data;
+  }
+  /**
+   * Verify the OTP code entered by the user and get tokens
+   *
+   * @param email - User's email address (must match the one used in requestOTP)
+   * @param code - 6-digit OTP code from email
+   * @returns Token response with access_token, refresh_token, etc.
+   */
+  async verifyOTP(email, code) {
+    const response = await (0, import_cross_fetch3.default)(`${this.authBaseUrl}/v1/auth/otp/verify`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        email: email.trim().toLowerCase(),
+        token: code.trim(),
+        type: "email",
+        platform: this.platform,
+        project_scope: this.projectScope
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      throw new Error(data.message || data.error || "Invalid or expired OTP code");
+    }
+    return data;
+  }
+  /**
+   * Resend OTP code (rate limited)
+   *
+   * @param email - User's email address
+   * @returns Response with success status
+   */
+  async resendOTP(email) {
+    const response = await (0, import_cross_fetch3.default)(`${this.authBaseUrl}/v1/auth/otp/resend`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        email: email.trim().toLowerCase(),
+        type: "email",
+        platform: this.platform
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      if (response.status === 429) {
+        throw new Error("Rate limited. Please wait before requesting another code.");
+      }
+      throw new Error(data.message || data.error || "Failed to resend OTP");
+    }
+    return data;
+  }
+  // ============================================================================
+  // Magic Link Flow (for web, desktop - user clicks link in email)
+  // ============================================================================
+  /**
+   * Request a magic link to be sent via email
+   * User will click the link which redirects to your callback URL
+   *
+   * @param email - User's email address
+   * @param redirectUri - URL to redirect to after clicking the magic link
+   * @returns Response with success status
+   */
+  async requestMagicLink(email, redirectUri) {
+    const response = await (0, import_cross_fetch3.default)(`${this.authBaseUrl}/v1/auth/otp/send`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        email: email.trim().toLowerCase(),
+        type: "magiclink",
+        redirect_uri: redirectUri,
+        platform: this.platform,
+        project_scope: this.projectScope
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      throw new Error(data.message || data.error || "Failed to send magic link");
+    }
+    return data;
+  }
+  /**
+   * Alternative: Use the /v1/auth/magic-link endpoint (web-optimized)
+   * This endpoint provides better redirect handling for web apps
+   *
+   * @param email - User's email address
+   * @param redirectUri - URL to redirect to after authentication
+   * @param createUser - Whether to create a new user if email doesn't exist
+   */
+  async requestMagicLinkWeb(email, redirectUri, createUser = true) {
+    const response = await (0, import_cross_fetch3.default)(`${this.authBaseUrl}/v1/auth/magic-link`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        email: email.trim().toLowerCase(),
+        redirect_uri: redirectUri,
+        return_to: redirectUri,
+        // Alias for compatibility
+        project_scope: this.projectScope,
+        platform: "web",
+        create_user: createUser
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      throw new Error(data.message || data.error || "Failed to send magic link");
+    }
+    return data;
+  }
+  /**
+   * Exchange magic link token for auth-gateway tokens
+   * Called after user clicks the magic link and is redirected to your callback
+   *
+   * @param supabaseAccessToken - Access token from Supabase (from URL hash/query)
+   * @param state - State parameter from the callback URL
+   * @returns Token response with redirect URL
+   */
+  async exchangeMagicLinkToken(supabaseAccessToken, state) {
+    const response = await (0, import_cross_fetch3.default)(`${this.authBaseUrl}/v1/auth/magic-link/exchange`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${supabaseAccessToken}`
+      },
+      body: JSON.stringify({ state })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      throw new Error(data.message || data.error || "Magic link exchange failed");
+    }
+    return data;
+  }
+  // ============================================================================
+  // Utility Methods
+  // ============================================================================
+  /**
+   * Check if an email is valid format
+   */
+  static isValidEmail(email) {
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    return emailRegex.test(email.trim());
+  }
+  /**
+   * Check if an OTP code is valid format (6 digits).
+   *
+   * This method:
+   * - Trims leading and trailing whitespace from the input before validating.
+   * - Requires exactly 6 numeric digits (0–9); any non-numeric characters or
+   *   incorrect length will cause it to return `false`.
+   *
+   * Note: This method expects a string value. Passing `null`, `undefined`, or
+   * other non-string values will result in a runtime error when `.trim()` is
+   * called, rather than returning `false`.
+   *
+   * @param code - The OTP code to validate.
+   * @returns `true` if the trimmed code consists of exactly 6 digits, otherwise `false`.
+   */
+  static isValidOTPCode(code) {
+    return /^\d{6}$/.test(code.trim());
+  }
+};
+
+// src/flows/apikey-flow.ts
+var import_cross_fetch4 = __toESM(require("cross-fetch"), 1);
+var APIKeyFlow = class extends BaseOAuthFlow {
+  constructor(apiKey, authBaseUrl = "https://mcp.lanonasis.com") {
+    super({
+      clientId: "api-key-client",
+      authBaseUrl
+    });
+    this.apiKey = apiKey;
+  }
+  /**
+   * "Authenticate" by returning the API key as a virtual token
+   * The API key will be used directly in request headers
+   */
+  async authenticate() {
+    if (!this.apiKey || !this.apiKey.startsWith("lano_") && !this.apiKey.startsWith("vx_")) {
+      throw new Error(
+        'Invalid API key format. Must start with "lano_" or "vx_". Please regenerate your API key from the dashboard.'
+      );
+    }
+    if (this.apiKey.startsWith("vx_")) {
+      console.warn(
+        '\u26A0\uFE0F  DEPRECATION WARNING: API keys with "vx_" prefix are deprecated and will stop working soon. Please regenerate your API key from the dashboard to get a "lano_" prefixed key. Support for "vx_" keys will be removed in a future version.'
+      );
+    }
+    return {
+      access_token: this.apiKey,
+      token_type: "api-key",
+      expires_in: 0,
+      // API keys don't expire
+      issued_at: Date.now()
+    };
+  }
+  /**
+   * API keys don't need refresh
+   */
+  async refreshToken(refreshToken) {
+    throw new Error("API keys do not support token refresh");
+  }
+  /**
+   * Optional: Validate API key by making a test request
+   */
+  async validateAPIKey() {
+    try {
+      const response = await (0, import_cross_fetch4.default)(`${this.authBaseUrl}/api/v1/health`, {
+        headers: {
+          "x-api-key": this.apiKey
+        }
+      });
+      return response.ok;
+    } catch (error) {
+      console.error("API key validation failed:", error);
+      return false;
+    }
+  }
+};
+
 // src/storage/token-storage.ts
 var _fs = null;
 var _path = null;
@@ -1405,66 +1673,7 @@ var ApiKeyStorageWeb = class {
 };
 
 // src/client/mcp-client.ts
-var import_cross_fetch4 = __toESM(require("cross-fetch"), 1);
-
-// src/flows/apikey-flow.ts
-var import_cross_fetch3 = __toESM(require("cross-fetch"), 1);
-var APIKeyFlow = class extends BaseOAuthFlow {
-  constructor(apiKey, authBaseUrl = "https://mcp.lanonasis.com") {
-    super({
-      clientId: "api-key-client",
-      authBaseUrl
-    });
-    this.apiKey = apiKey;
-  }
-  /**
-   * "Authenticate" by returning the API key as a virtual token
-   * The API key will be used directly in request headers
-   */
-  async authenticate() {
-    if (!this.apiKey || !this.apiKey.startsWith("lano_") && !this.apiKey.startsWith("vx_")) {
-      throw new Error(
-        'Invalid API key format. Must start with "lano_" or "vx_". Please regenerate your API key from the dashboard.'
-      );
-    }
-    if (this.apiKey.startsWith("vx_")) {
-      console.warn(
-        '\u26A0\uFE0F  DEPRECATION WARNING: API keys with "vx_" prefix are deprecated and will stop working soon. Please regenerate your API key from the dashboard to get a "lano_" prefixed key. Support for "vx_" keys will be removed in a future version.'
-      );
-    }
-    return {
-      access_token: this.apiKey,
-      token_type: "api-key",
-      expires_in: 0,
-      // API keys don't expire
-      issued_at: Date.now()
-    };
-  }
-  /**
-   * API keys don't need refresh
-   */
-  async refreshToken(refreshToken) {
-    throw new Error("API keys do not support token refresh");
-  }
-  /**
-   * Optional: Validate API key by making a test request
-   */
-  async validateAPIKey() {
-    try {
-      const response = await (0, import_cross_fetch3.default)(`${this.config.authBaseUrl}/api/v1/health`, {
-        headers: {
-          "x-api-key": this.apiKey
-        }
-      });
-      return response.ok;
-    } catch (error) {
-      console.error("API key validation failed:", error);
-      return false;
-    }
-  }
-};
-
-// src/client/mcp-client.ts
+var import_cross_fetch5 = __toESM(require("cross-fetch"), 1);
 var MCPClient = class {
   constructor(config = {}) {
     // ← NEW: Track auth mode
@@ -1693,7 +1902,7 @@ var MCPClient = class {
     } else {
       headers["Authorization"] = `Bearer ${this.accessToken}`;
     }
-    const response = await (0, import_cross_fetch4.default)(`${this.config.mcpEndpoint}/api`, {
+    const response = await (0, import_cross_fetch5.default)(`${this.config.mcpEndpoint}/api`, {
       method: "POST",
       headers,
       body: JSON.stringify({
@@ -1794,7 +2003,7 @@ var MCPClient = class {
 };
 
 // src/client/auth-gateway-client.ts
-var import_cross_fetch5 = __toESM(require("cross-fetch"), 1);
+var import_cross_fetch6 = __toESM(require("cross-fetch"), 1);
 var GatewayOAuthFlow = class extends BaseOAuthFlow {
   async authenticate() {
     throw new Error("Interactive authentication is not supported in AuthGatewayClient.");
@@ -1958,7 +2167,7 @@ var AuthGatewayClient = class {
     return "jwt";
   }
   async requestJson(path, options) {
-    const response = await (0, import_cross_fetch5.default)(`${this.authBaseUrl}${path.startsWith("/") ? path : `/${path}`}`, options);
+    const response = await (0, import_cross_fetch6.default)(`${this.authBaseUrl}${path.startsWith("/") ? path : `/${path}`}`, options);
     const text = await response.text();
     let data = null;
     if (text) {