@lanonasis/oauth-client 1.2.8 → 2.0.0

package/README.md

@@ -126,5 +126,24 @@ const hashed = await apiKeys.getApiKey(); // returns sha256 hex digest
 - `README.md`
 - `LICENSE`
 
+## Auth-Gateway Compatibility
+
+This SDK implements client-side equivalents of the auth-gateway's authentication methods:
+
+| Auth-Gateway Endpoint | SDK Class | Use Case |
+|-----------------------|-----------|----------|
+| `POST /oauth/device` | `TerminalOAuthFlow` | CLI/terminal apps |
+| `GET /oauth/authorize` | `DesktopOAuthFlow` | Desktop apps (Electron) |
+| `POST /v1/auth/otp/*` | `MagicLinkFlow` | Mobile/passwordless |
+| `X-API-Key` header | `APIKeyFlow` | Server-to-server |
+| `MCPClient` | Combined | Auto-detects best method |
+
+### Methods NOT Exposed (Security)
+- Email/Password: Server-rendered form only
+- Admin Bypass: Internal emergency access
+- Supabase OAuth 2.1: Internal Supabase integration
+
+See [auth-gateway/AUTHENTICATION-METHODS.md](../../apps/onasis-core/services/auth-gateway/AUTHENTICATION-METHODS.md) for complete server-side documentation.
+
 ## License
 MIT © Lan Onasis

package/dist/constants-BOZ6jJU4.d.cts

@@ -0,0 +1,110 @@
+/**
+ * React-specific types for SSO authentication
+ * @module @lanonasis/oauth-client/react
+ */
+/**
+ * SSO User information from the lanonasis_user cookie
+ */
+interface SSOUser {
+    id: string;
+    email: string;
+    role: string;
+    name?: string;
+    avatar_url?: string;
+}
+/**
+ * SSO authentication state
+ */
+interface SSOState {
+    /** Whether the user is authenticated */
+    isAuthenticated: boolean;
+    /** Whether the auth state is being determined */
+    isLoading: boolean;
+    /** User information if authenticated */
+    user: SSOUser | null;
+    /** Error message if auth check failed */
+    error: string | null;
+}
+/**
+ * Configuration for the SSO hook
+ */
+interface SSOConfig {
+    /** Auth gateway URL (default: https://auth.lanonasis.com) */
+    authGatewayUrl?: string;
+    /** Cookie domain (default: .lanonasis.com) */
+    cookieDomain?: string;
+    /** Callback when auth state changes */
+    onAuthChange?: (state: SSOState) => void;
+    /** Polling interval in ms for cookie changes (default: 30000) */
+    pollInterval?: number;
+}
+/**
+ * Configuration for Supabase-to-cookie sync
+ */
+interface SSOSyncConfig {
+    /** Auth gateway URL (default: https://auth.lanonasis.com) */
+    authGatewayUrl?: string;
+    /** Project scope for multi-tenant auth */
+    projectScope?: string;
+    /** Callback when sync completes */
+    onSyncComplete?: (success: boolean) => void;
+}
+/**
+ * Supabase session interface (minimal for what we need)
+ */
+interface SupabaseSession {
+    access_token: string;
+    refresh_token?: string;
+}
+/**
+ * Return type for useSSO hook
+ */
+interface UseSSOReturn extends SSOState {
+    /** Manually refresh auth state */
+    refresh: () => void;
+    /** Logout and redirect to auth gateway */
+    logout: (returnTo?: string) => void;
+    /** Get login URL with optional return URL */
+    getLoginUrl: (returnTo?: string) => string;
+}
+/**
+ * Return type for useSSOSync hook
+ */
+interface UseSSOSyncReturn {
+    /** Manually trigger sync */
+    sync: () => Promise<boolean>;
+    /** Sync with gateway directly */
+    syncWithGateway: (session: SupabaseSession) => Promise<boolean>;
+}
+
+/**
+ * Cookie constants and utilities shared between browser and server
+ * @module @lanonasis/oauth-client/cookies
+ */
+/**
+ * Cookie names used by Lan Onasis auth system
+ */
+declare const COOKIE_NAMES: {
+    /** HttpOnly JWT session token */
+    readonly SESSION: "lanonasis_session";
+    /** Readable user metadata (JSON) */
+    readonly USER: "lanonasis_user";
+};
+/**
+ * Default cookie domain for cross-subdomain SSO
+ */
+declare const DEFAULT_COOKIE_DOMAIN = ".lanonasis.com";
+/**
+ * Default auth gateway URL
+ */
+declare const DEFAULT_AUTH_GATEWAY = "https://auth.lanonasis.com";
+/**
+ * Default polling interval for cookie changes (30 seconds)
+ */
+declare const DEFAULT_POLL_INTERVAL = 30000;
+/**
+ * Default project scope for multi-tenant auth
+ */
+declare const DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
+
+export { COOKIE_NAMES as C, DEFAULT_AUTH_GATEWAY as D, type SSOConfig as S, type UseSSOReturn as U, type SupabaseSession as a, type SSOSyncConfig as b, type UseSSOSyncReturn as c, type SSOUser as d, type SSOState as e, DEFAULT_COOKIE_DOMAIN as f, DEFAULT_POLL_INTERVAL as g, DEFAULT_PROJECT_SCOPE as h };

package/dist/constants-BOZ6jJU4.d.ts

@@ -0,0 +1,110 @@
+/**
+ * React-specific types for SSO authentication
+ * @module @lanonasis/oauth-client/react
+ */
+/**
+ * SSO User information from the lanonasis_user cookie
+ */
+interface SSOUser {
+    id: string;
+    email: string;
+    role: string;
+    name?: string;
+    avatar_url?: string;
+}
+/**
+ * SSO authentication state
+ */
+interface SSOState {
+    /** Whether the user is authenticated */
+    isAuthenticated: boolean;
+    /** Whether the auth state is being determined */
+    isLoading: boolean;
+    /** User information if authenticated */
+    user: SSOUser | null;
+    /** Error message if auth check failed */
+    error: string | null;
+}
+/**
+ * Configuration for the SSO hook
+ */
+interface SSOConfig {
+    /** Auth gateway URL (default: https://auth.lanonasis.com) */
+    authGatewayUrl?: string;
+    /** Cookie domain (default: .lanonasis.com) */
+    cookieDomain?: string;
+    /** Callback when auth state changes */
+    onAuthChange?: (state: SSOState) => void;
+    /** Polling interval in ms for cookie changes (default: 30000) */
+    pollInterval?: number;
+}
+/**
+ * Configuration for Supabase-to-cookie sync
+ */
+interface SSOSyncConfig {
+    /** Auth gateway URL (default: https://auth.lanonasis.com) */
+    authGatewayUrl?: string;
+    /** Project scope for multi-tenant auth */
+    projectScope?: string;
+    /** Callback when sync completes */
+    onSyncComplete?: (success: boolean) => void;
+}
+/**
+ * Supabase session interface (minimal for what we need)
+ */
+interface SupabaseSession {
+    access_token: string;
+    refresh_token?: string;
+}
+/**
+ * Return type for useSSO hook
+ */
+interface UseSSOReturn extends SSOState {
+    /** Manually refresh auth state */
+    refresh: () => void;
+    /** Logout and redirect to auth gateway */
+    logout: (returnTo?: string) => void;
+    /** Get login URL with optional return URL */
+    getLoginUrl: (returnTo?: string) => string;
+}
+/**
+ * Return type for useSSOSync hook
+ */
+interface UseSSOSyncReturn {
+    /** Manually trigger sync */
+    sync: () => Promise<boolean>;
+    /** Sync with gateway directly */
+    syncWithGateway: (session: SupabaseSession) => Promise<boolean>;
+}
+
+/**
+ * Cookie constants and utilities shared between browser and server
+ * @module @lanonasis/oauth-client/cookies
+ */
+/**
+ * Cookie names used by Lan Onasis auth system
+ */
+declare const COOKIE_NAMES: {
+    /** HttpOnly JWT session token */
+    readonly SESSION: "lanonasis_session";
+    /** Readable user metadata (JSON) */
+    readonly USER: "lanonasis_user";
+};
+/**
+ * Default cookie domain for cross-subdomain SSO
+ */
+declare const DEFAULT_COOKIE_DOMAIN = ".lanonasis.com";
+/**
+ * Default auth gateway URL
+ */
+declare const DEFAULT_AUTH_GATEWAY = "https://auth.lanonasis.com";
+/**
+ * Default polling interval for cookie changes (30 seconds)
+ */
+declare const DEFAULT_POLL_INTERVAL = 30000;
+/**
+ * Default project scope for multi-tenant auth
+ */
+declare const DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
+
+export { COOKIE_NAMES as C, DEFAULT_AUTH_GATEWAY as D, type SSOConfig as S, type UseSSOReturn as U, type SupabaseSession as a, type SSOSyncConfig as b, type UseSSOSyncReturn as c, type SSOUser as d, type SSOState as e, DEFAULT_COOKIE_DOMAIN as f, DEFAULT_POLL_INTERVAL as g, DEFAULT_PROJECT_SCOPE as h };

package/dist/index.cjs

@@ -398,11 +398,15 @@ var MagicLinkFlow = class extends BaseOAuthFlow {
    * @returns Response with success status and expiration time
    */
   async requestOTP(email) {
+    if (typeof email !== "string" || !email.trim()) {
+      throw new Error("Invalid email: a non-empty email address is required to request an OTP.");
+    }
+    const normalizedEmail = email.trim().toLowerCase();
     const response = await (0, import_cross_fetch3.default)(`${this.authBaseUrl}/v1/auth/otp/send`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
-        email: email.trim().toLowerCase(),
+        email: normalizedEmail,
         type: "email",
         // Explicitly request 6-digit code, not magic link
         platform: this.platform,
@@ -556,7 +560,19 @@ var MagicLinkFlow = class extends BaseOAuthFlow {
     return emailRegex.test(email.trim());
   }
   /**
-   * Check if an OTP code is valid format (6 digits)
+   * Check if an OTP code is valid format (6 digits).
+   *
+   * This method:
+   * - Trims leading and trailing whitespace from the input before validating.
+   * - Requires exactly 6 numeric digits (0–9); any non-numeric characters or
+   *   incorrect length will cause it to return `false`.
+   *
+   * Note: This method expects a string value. Passing `null`, `undefined`, or
+   * other non-string values will result in a runtime error when `.trim()` is
+   * called, rather than returning `false`.
+   *
+   * @param code - The OTP code to validate.
+   * @returns `true` if the trimmed code consists of exactly 6 digits, otherwise `false`.
    */
   static isValidOTPCode(code) {
     return /^\d{6}$/.test(code.trim());

package/dist/index.d.cts

@@ -131,7 +131,19 @@ declare class MagicLinkFlow extends BaseOAuthFlow {
      */
     static isValidEmail(email: string): boolean;
     /**
-     * Check if an OTP code is valid format (6 digits)
+     * Check if an OTP code is valid format (6 digits).
+     *
+     * This method:
+     * - Trims leading and trailing whitespace from the input before validating.
+     * - Requires exactly 6 numeric digits (0–9); any non-numeric characters or
+     *   incorrect length will cause it to return `false`.
+     *
+     * Note: This method expects a string value. Passing `null`, `undefined`, or
+     * other non-string values will result in a runtime error when `.trim()` is
+     * called, rather than returning `false`.
+     *
+     * @param code - The OTP code to validate.
+     * @returns `true` if the trimmed code consists of exactly 6 digits, otherwise `false`.
      */
     static isValidOTPCode(code: string): boolean;
 }

package/dist/index.d.ts

@@ -131,7 +131,19 @@ declare class MagicLinkFlow extends BaseOAuthFlow {
      */
     static isValidEmail(email: string): boolean;
     /**
-     * Check if an OTP code is valid format (6 digits)
+     * Check if an OTP code is valid format (6 digits).
+     *
+     * This method:
+     * - Trims leading and trailing whitespace from the input before validating.
+     * - Requires exactly 6 numeric digits (0–9); any non-numeric characters or
+     *   incorrect length will cause it to return `false`.
+     *
+     * Note: This method expects a string value. Passing `null`, `undefined`, or
+     * other non-string values will result in a runtime error when `.trim()` is
+     * called, rather than returning `false`.
+     *
+     * @param code - The OTP code to validate.
+     * @returns `true` if the trimmed code consists of exactly 6 digits, otherwise `false`.
      */
     static isValidOTPCode(code: string): boolean;
 }

package/dist/index.mjs

@@ -359,11 +359,15 @@ var MagicLinkFlow = class extends BaseOAuthFlow {
    * @returns Response with success status and expiration time
    */
   async requestOTP(email) {
+    if (typeof email !== "string" || !email.trim()) {
+      throw new Error("Invalid email: a non-empty email address is required to request an OTP.");
+    }
+    const normalizedEmail = email.trim().toLowerCase();
     const response = await fetch3(`${this.authBaseUrl}/v1/auth/otp/send`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
-        email: email.trim().toLowerCase(),
+        email: normalizedEmail,
         type: "email",
         // Explicitly request 6-digit code, not magic link
         platform: this.platform,
@@ -517,7 +521,19 @@ var MagicLinkFlow = class extends BaseOAuthFlow {
     return emailRegex.test(email.trim());
   }
   /**
-   * Check if an OTP code is valid format (6 digits)
+   * Check if an OTP code is valid format (6 digits).
+   *
+   * This method:
+   * - Trims leading and trailing whitespace from the input before validating.
+   * - Requires exactly 6 numeric digits (0–9); any non-numeric characters or
+   *   incorrect length will cause it to return `false`.
+   *
+   * Note: This method expects a string value. Passing `null`, `undefined`, or
+   * other non-string values will result in a runtime error when `.trim()` is
+   * called, rather than returning `false`.
+   *
+   * @param code - The OTP code to validate.
+   * @returns `true` if the trimmed code consists of exactly 6 digits, otherwise `false`.
    */
   static isValidOTPCode(code) {
     return /^\d{6}$/.test(code.trim());

package/dist/react/index.cjs

@@ -0,0 +1,261 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/react/index.ts
+var react_exports = {};
+__export(react_exports, {
+  COOKIE_NAMES: () => COOKIE_NAMES,
+  DEFAULT_AUTH_GATEWAY: () => DEFAULT_AUTH_GATEWAY,
+  DEFAULT_COOKIE_DOMAIN: () => DEFAULT_COOKIE_DOMAIN,
+  DEFAULT_POLL_INTERVAL: () => DEFAULT_POLL_INTERVAL,
+  DEFAULT_PROJECT_SCOPE: () => DEFAULT_PROJECT_SCOPE,
+  clearUserCookie: () => clearUserCookie,
+  hasAuthCookies: () => hasAuthCookies,
+  hasSessionCookie: () => hasSessionCookie,
+  isBrowser: () => isBrowser,
+  parseUserCookie: () => parseUserCookie,
+  useSSO: () => useSSO,
+  useSSOSync: () => useSSOSync
+});
+module.exports = __toCommonJS(react_exports);
+
+// src/react/useSSO.ts
+var import_react = require("react");
+
+// src/cookies/constants.ts
+var COOKIE_NAMES = {
+  /** HttpOnly JWT session token */
+  SESSION: "lanonasis_session",
+  /** Readable user metadata (JSON) */
+  USER: "lanonasis_user"
+};
+var DEFAULT_COOKIE_DOMAIN = ".lanonasis.com";
+var DEFAULT_AUTH_GATEWAY = "https://auth.lanonasis.com";
+var DEFAULT_POLL_INTERVAL = 3e4;
+var DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
+
+// src/react/cookie-utils-browser.ts
+function isBrowser() {
+  return typeof window !== "undefined" && typeof document !== "undefined";
+}
+function parseUserCookie() {
+  if (!isBrowser()) return null;
+  try {
+    const cookies = document.cookie.split(";");
+    const userCookie = cookies.find(
+      (c) => c.trim().startsWith(`${COOKIE_NAMES.USER}=`)
+    );
+    if (!userCookie) return null;
+    const value = userCookie.split("=").slice(1).join("=").trim();
+    const decoded = decodeURIComponent(value);
+    const parsed = JSON.parse(decoded);
+    if (!parsed.id || !parsed.email || !parsed.role) {
+      console.warn("[oauth-client] Invalid user cookie: missing required fields");
+      return null;
+    }
+    return parsed;
+  } catch (error) {
+    console.warn("[oauth-client] Failed to parse user cookie:", error);
+    return null;
+  }
+}
+function hasSessionCookie() {
+  if (!isBrowser()) return false;
+  return document.cookie.includes(`${COOKIE_NAMES.SESSION}=`);
+}
+function hasAuthCookies() {
+  return hasSessionCookie() && parseUserCookie() !== null;
+}
+function clearUserCookie(domain = ".lanonasis.com") {
+  if (!isBrowser()) return;
+  document.cookie = `${COOKIE_NAMES.USER}=; domain=${domain}; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+}
+
+// src/react/useSSO.ts
+function useSSO(config = {}) {
+  const {
+    authGatewayUrl = DEFAULT_AUTH_GATEWAY,
+    onAuthChange,
+    pollInterval = DEFAULT_POLL_INTERVAL
+  } = config;
+  const [state, setState] = (0, import_react.useState)({
+    isAuthenticated: false,
+    isLoading: true,
+    user: null,
+    error: null
+  });
+  const prevStateRef = (0, import_react.useRef)(null);
+  const checkAuthState = (0, import_react.useCallback)(() => {
+    if (!isBrowser()) {
+      setState({
+        isAuthenticated: false,
+        isLoading: false,
+        user: null,
+        error: null
+      });
+      return;
+    }
+    try {
+      const hasSession = hasSessionCookie();
+      const user = parseUserCookie();
+      const newState = {
+        isAuthenticated: hasSession && user !== null,
+        isLoading: false,
+        user: hasSession ? user : null,
+        error: null
+      };
+      setState(newState);
+      if (onAuthChange && prevStateRef.current && prevStateRef.current.isAuthenticated !== newState.isAuthenticated) {
+        onAuthChange(newState);
+      }
+      prevStateRef.current = newState;
+    } catch (error) {
+      const errorState = {
+        isAuthenticated: false,
+        isLoading: false,
+        user: null,
+        error: error instanceof Error ? error.message : "Failed to check auth state"
+      };
+      setState(errorState);
+      prevStateRef.current = errorState;
+    }
+  }, [onAuthChange]);
+  const refresh = (0, import_react.useCallback)(() => {
+    setState((prev) => ({ ...prev, isLoading: true }));
+    checkAuthState();
+  }, [checkAuthState]);
+  const logout = (0, import_react.useCallback)((returnTo) => {
+    if (!isBrowser()) return;
+    const logoutUrl = new URL("/web/logout", authGatewayUrl);
+    if (returnTo) {
+      logoutUrl.searchParams.set("return_to", returnTo);
+    }
+    window.location.href = logoutUrl.toString();
+  }, [authGatewayUrl]);
+  const getLoginUrl = (0, import_react.useCallback)((returnTo) => {
+    const loginUrl = new URL("/web/login", authGatewayUrl);
+    if (returnTo) {
+      loginUrl.searchParams.set("return_to", returnTo);
+    }
+    return loginUrl.toString();
+  }, [authGatewayUrl]);
+  (0, import_react.useEffect)(() => {
+    const timer = setTimeout(checkAuthState, 0);
+    return () => clearTimeout(timer);
+  }, [checkAuthState]);
+  (0, import_react.useEffect)(() => {
+    if (!isBrowser() || pollInterval <= 0) return;
+    const interval = setInterval(checkAuthState, pollInterval);
+    return () => clearInterval(interval);
+  }, [checkAuthState, pollInterval]);
+  (0, import_react.useEffect)(() => {
+    if (!isBrowser()) return;
+    const handleStorageChange = (event) => {
+      if (event.key === null || event.key?.includes("auth")) {
+        checkAuthState();
+      }
+    };
+    window.addEventListener("storage", handleStorageChange);
+    return () => window.removeEventListener("storage", handleStorageChange);
+  }, [checkAuthState]);
+  (0, import_react.useEffect)(() => {
+    if (!isBrowser()) return;
+    const handleFocus = () => {
+      checkAuthState();
+    };
+    window.addEventListener("focus", handleFocus);
+    return () => window.removeEventListener("focus", handleFocus);
+  }, [checkAuthState]);
+  return {
+    ...state,
+    refresh,
+    logout,
+    getLoginUrl
+  };
+}
+
+// src/react/useSSOSync.ts
+var import_react2 = require("react");
+function useSSOSync(supabaseSession, config = {}) {
+  const {
+    authGatewayUrl = DEFAULT_AUTH_GATEWAY,
+    projectScope = DEFAULT_PROJECT_SCOPE,
+    onSyncComplete
+  } = config;
+  const lastSyncedTokenRef = (0, import_react2.useRef)(null);
+  const syncWithGateway = (0, import_react2.useCallback)(
+    async (session) => {
+      if (!isBrowser()) return false;
+      try {
+        const response = await fetch(
+          `${authGatewayUrl}/v1/auth/token/exchange`,
+          {
+            method: "POST",
+            headers: {
+              Authorization: `Bearer ${session.access_token}`,
+              "Content-Type": "application/json",
+              "X-Project-Scope": projectScope
+            },
+            credentials: "include",
+            // Important: include cookies
+            body: JSON.stringify({
+              project_scope: projectScope,
+              platform: "web"
+            })
+          }
+        );
+        if (!response.ok) {
+          console.warn("[oauth-client] SSO sync failed:", response.status);
+          onSyncComplete?.(false);
+          return false;
+        }
+        const data = await response.json();
+        if (data.cookies_set) {
+          console.log("[oauth-client] SSO cookies set successfully");
+        }
+        onSyncComplete?.(true);
+        return true;
+      } catch (error) {
+        console.error("[oauth-client] SSO sync error:", error);
+        onSyncComplete?.(false);
+        return false;
+      }
+    },
+    [authGatewayUrl, projectScope, onSyncComplete]
+  );
+  const sync = (0, import_react2.useCallback)(async () => {
+    if (!supabaseSession?.access_token) {
+      console.warn("[oauth-client] Cannot sync: no Supabase session");
+      return false;
+    }
+    return syncWithGateway(supabaseSession);
+  }, [supabaseSession, syncWithGateway]);
+  (0, import_react2.useEffect)(() => {
+    const token = supabaseSession?.access_token;
+    if (!token || token === lastSyncedTokenRef.current) {
+      return;
+    }
+    lastSyncedTokenRef.current = token;
+    syncWithGateway(supabaseSession);
+  }, [supabaseSession?.access_token, syncWithGateway, supabaseSession]);
+  return {
+    sync,
+    syncWithGateway
+  };
+}