@lanonasis/oauth-client 1.2.8 → 2.0.0

package/dist/react/index.d.cts

@@ -0,0 +1,95 @@
+import { S as SSOConfig, U as UseSSOReturn, a as SupabaseSession, b as SSOSyncConfig, c as UseSSOSyncReturn, d as SSOUser } from '../constants-BOZ6jJU4.cjs';
+export { C as COOKIE_NAMES, D as DEFAULT_AUTH_GATEWAY, f as DEFAULT_COOKIE_DOMAIN, g as DEFAULT_POLL_INTERVAL, h as DEFAULT_PROJECT_SCOPE, e as SSOState } from '../constants-BOZ6jJU4.cjs';
+
+/**
+ * React hook for SSO authentication state
+ * @module @lanonasis/oauth-client/react
+ */
+
+/**
+ * React hook for SSO authentication state
+ *
+ * Reads the lanonasis_user cookie to determine auth state.
+ * Works across all *.lanonasis.com subdomains.
+ *
+ * @example
+ * ```tsx
+ * function Navbar() {
+ *   const { isAuthenticated, user, logout } = useSSO();
+ *
+ *   if (isAuthenticated && user) {
+ *     return <span>Welcome, {user.email}</span>;
+ *   }
+ *   return <a href="https://auth.lanonasis.com/web/login">Sign In</a>;
+ * }
+ * ```
+ */
+declare function useSSO(config?: SSOConfig): UseSSOReturn;
+
+/**
+ * React hook to sync Supabase auth state with lanonasis cookies
+ * @module @lanonasis/oauth-client/react
+ */
+
+/**
+ * React hook to sync Supabase auth state with lanonasis cookies
+ *
+ * Call this hook in components that use Supabase auth to ensure
+ * cross-subdomain SSO cookies are set when user logs in.
+ *
+ * @example
+ * ```tsx
+ * function AuthProvider({ children }) {
+ *   const { data: { session } } = useSupabaseSession();
+ *
+ *   // Sync Supabase session with SSO cookies
+ *   useSSOSync(session, {
+ *     projectScope: 'my-app',
+ *     onSyncComplete: (success) => {
+ *       console.log('SSO sync:', success ? 'success' : 'failed');
+ *     }
+ *   });
+ *
+ *   return <>{children}</>;
+ * }
+ * ```
+ */
+declare function useSSOSync(supabaseSession: SupabaseSession | null, config?: SSOSyncConfig): UseSSOSyncReturn;
+
+/**
+ * Browser-side cookie utilities for SSO authentication
+ * @module @lanonasis/oauth-client/react
+ */
+
+/**
+ * Check if we're in a browser environment
+ */
+declare function isBrowser(): boolean;
+/**
+ * Parse the lanonasis_user cookie (non-HttpOnly, readable by JS)
+ * This cookie contains: { id, email, role, name?, avatar_url? }
+ *
+ * @returns User data or null if cookie doesn't exist or is invalid
+ */
+declare function parseUserCookie(): SSOUser | null;
+/**
+ * Check if the session cookie exists (cannot read value due to HttpOnly)
+ *
+ * @returns true if lanonasis_session cookie exists
+ */
+declare function hasSessionCookie(): boolean;
+/**
+ * Check if user appears to be authenticated based on cookies
+ *
+ * @returns true if both session and user cookies exist
+ */
+declare function hasAuthCookies(): boolean;
+/**
+ * Clear auth cookies (client-side only clears non-HttpOnly cookies)
+ * Full logout should redirect to auth gateway
+ *
+ * @param domain - Cookie domain (default: .lanonasis.com)
+ */
+declare function clearUserCookie(domain?: string): void;
+
+export { SSOConfig, SSOSyncConfig, SSOUser, SupabaseSession, UseSSOReturn, UseSSOSyncReturn, clearUserCookie, hasAuthCookies, hasSessionCookie, isBrowser, parseUserCookie, useSSO, useSSOSync };

package/dist/react/index.d.ts

@@ -0,0 +1,95 @@
+import { S as SSOConfig, U as UseSSOReturn, a as SupabaseSession, b as SSOSyncConfig, c as UseSSOSyncReturn, d as SSOUser } from '../constants-BOZ6jJU4.js';
+export { C as COOKIE_NAMES, D as DEFAULT_AUTH_GATEWAY, f as DEFAULT_COOKIE_DOMAIN, g as DEFAULT_POLL_INTERVAL, h as DEFAULT_PROJECT_SCOPE, e as SSOState } from '../constants-BOZ6jJU4.js';
+
+/**
+ * React hook for SSO authentication state
+ * @module @lanonasis/oauth-client/react
+ */
+
+/**
+ * React hook for SSO authentication state
+ *
+ * Reads the lanonasis_user cookie to determine auth state.
+ * Works across all *.lanonasis.com subdomains.
+ *
+ * @example
+ * ```tsx
+ * function Navbar() {
+ *   const { isAuthenticated, user, logout } = useSSO();
+ *
+ *   if (isAuthenticated && user) {
+ *     return <span>Welcome, {user.email}</span>;
+ *   }
+ *   return <a href="https://auth.lanonasis.com/web/login">Sign In</a>;
+ * }
+ * ```
+ */
+declare function useSSO(config?: SSOConfig): UseSSOReturn;
+
+/**
+ * React hook to sync Supabase auth state with lanonasis cookies
+ * @module @lanonasis/oauth-client/react
+ */
+
+/**
+ * React hook to sync Supabase auth state with lanonasis cookies
+ *
+ * Call this hook in components that use Supabase auth to ensure
+ * cross-subdomain SSO cookies are set when user logs in.
+ *
+ * @example
+ * ```tsx
+ * function AuthProvider({ children }) {
+ *   const { data: { session } } = useSupabaseSession();
+ *
+ *   // Sync Supabase session with SSO cookies
+ *   useSSOSync(session, {
+ *     projectScope: 'my-app',
+ *     onSyncComplete: (success) => {
+ *       console.log('SSO sync:', success ? 'success' : 'failed');
+ *     }
+ *   });
+ *
+ *   return <>{children}</>;
+ * }
+ * ```
+ */
+declare function useSSOSync(supabaseSession: SupabaseSession | null, config?: SSOSyncConfig): UseSSOSyncReturn;
+
+/**
+ * Browser-side cookie utilities for SSO authentication
+ * @module @lanonasis/oauth-client/react
+ */
+
+/**
+ * Check if we're in a browser environment
+ */
+declare function isBrowser(): boolean;
+/**
+ * Parse the lanonasis_user cookie (non-HttpOnly, readable by JS)
+ * This cookie contains: { id, email, role, name?, avatar_url? }
+ *
+ * @returns User data or null if cookie doesn't exist or is invalid
+ */
+declare function parseUserCookie(): SSOUser | null;
+/**
+ * Check if the session cookie exists (cannot read value due to HttpOnly)
+ *
+ * @returns true if lanonasis_session cookie exists
+ */
+declare function hasSessionCookie(): boolean;
+/**
+ * Check if user appears to be authenticated based on cookies
+ *
+ * @returns true if both session and user cookies exist
+ */
+declare function hasAuthCookies(): boolean;
+/**
+ * Clear auth cookies (client-side only clears non-HttpOnly cookies)
+ * Full logout should redirect to auth gateway
+ *
+ * @param domain - Cookie domain (default: .lanonasis.com)
+ */
+declare function clearUserCookie(domain?: string): void;
+
+export { SSOConfig, SSOSyncConfig, SSOUser, SupabaseSession, UseSSOReturn, UseSSOSyncReturn, clearUserCookie, hasAuthCookies, hasSessionCookie, isBrowser, parseUserCookie, useSSO, useSSOSync };

package/dist/react/index.mjs

@@ -0,0 +1,238 @@
+// src/react/useSSO.ts
+import { useState, useEffect, useCallback, useRef } from "react";
+
+// src/cookies/constants.ts
+var COOKIE_NAMES = {
+  /** HttpOnly JWT session token */
+  SESSION: "lanonasis_session",
+  /** Readable user metadata (JSON) */
+  USER: "lanonasis_user"
+};
+var DEFAULT_COOKIE_DOMAIN = ".lanonasis.com";
+var DEFAULT_AUTH_GATEWAY = "https://auth.lanonasis.com";
+var DEFAULT_POLL_INTERVAL = 3e4;
+var DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
+
+// src/react/cookie-utils-browser.ts
+function isBrowser() {
+  return typeof window !== "undefined" && typeof document !== "undefined";
+}
+function parseUserCookie() {
+  if (!isBrowser()) return null;
+  try {
+    const cookies = document.cookie.split(";");
+    const userCookie = cookies.find(
+      (c) => c.trim().startsWith(`${COOKIE_NAMES.USER}=`)
+    );
+    if (!userCookie) return null;
+    const value = userCookie.split("=").slice(1).join("=").trim();
+    const decoded = decodeURIComponent(value);
+    const parsed = JSON.parse(decoded);
+    if (!parsed.id || !parsed.email || !parsed.role) {
+      console.warn("[oauth-client] Invalid user cookie: missing required fields");
+      return null;
+    }
+    return parsed;
+  } catch (error) {
+    console.warn("[oauth-client] Failed to parse user cookie:", error);
+    return null;
+  }
+}
+function hasSessionCookie() {
+  if (!isBrowser()) return false;
+  return document.cookie.includes(`${COOKIE_NAMES.SESSION}=`);
+}
+function hasAuthCookies() {
+  return hasSessionCookie() && parseUserCookie() !== null;
+}
+function clearUserCookie(domain = ".lanonasis.com") {
+  if (!isBrowser()) return;
+  document.cookie = `${COOKIE_NAMES.USER}=; domain=${domain}; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+}
+
+// src/react/useSSO.ts
+function useSSO(config = {}) {
+  const {
+    authGatewayUrl = DEFAULT_AUTH_GATEWAY,
+    onAuthChange,
+    pollInterval = DEFAULT_POLL_INTERVAL
+  } = config;
+  const [state, setState] = useState({
+    isAuthenticated: false,
+    isLoading: true,
+    user: null,
+    error: null
+  });
+  const prevStateRef = useRef(null);
+  const checkAuthState = useCallback(() => {
+    if (!isBrowser()) {
+      setState({
+        isAuthenticated: false,
+        isLoading: false,
+        user: null,
+        error: null
+      });
+      return;
+    }
+    try {
+      const hasSession = hasSessionCookie();
+      const user = parseUserCookie();
+      const newState = {
+        isAuthenticated: hasSession && user !== null,
+        isLoading: false,
+        user: hasSession ? user : null,
+        error: null
+      };
+      setState(newState);
+      if (onAuthChange && prevStateRef.current && prevStateRef.current.isAuthenticated !== newState.isAuthenticated) {
+        onAuthChange(newState);
+      }
+      prevStateRef.current = newState;
+    } catch (error) {
+      const errorState = {
+        isAuthenticated: false,
+        isLoading: false,
+        user: null,
+        error: error instanceof Error ? error.message : "Failed to check auth state"
+      };
+      setState(errorState);
+      prevStateRef.current = errorState;
+    }
+  }, [onAuthChange]);
+  const refresh = useCallback(() => {
+    setState((prev) => ({ ...prev, isLoading: true }));
+    checkAuthState();
+  }, [checkAuthState]);
+  const logout = useCallback((returnTo) => {
+    if (!isBrowser()) return;
+    const logoutUrl = new URL("/web/logout", authGatewayUrl);
+    if (returnTo) {
+      logoutUrl.searchParams.set("return_to", returnTo);
+    }
+    window.location.href = logoutUrl.toString();
+  }, [authGatewayUrl]);
+  const getLoginUrl = useCallback((returnTo) => {
+    const loginUrl = new URL("/web/login", authGatewayUrl);
+    if (returnTo) {
+      loginUrl.searchParams.set("return_to", returnTo);
+    }
+    return loginUrl.toString();
+  }, [authGatewayUrl]);
+  useEffect(() => {
+    const timer = setTimeout(checkAuthState, 0);
+    return () => clearTimeout(timer);
+  }, [checkAuthState]);
+  useEffect(() => {
+    if (!isBrowser() || pollInterval <= 0) return;
+    const interval = setInterval(checkAuthState, pollInterval);
+    return () => clearInterval(interval);
+  }, [checkAuthState, pollInterval]);
+  useEffect(() => {
+    if (!isBrowser()) return;
+    const handleStorageChange = (event) => {
+      if (event.key === null || event.key?.includes("auth")) {
+        checkAuthState();
+      }
+    };
+    window.addEventListener("storage", handleStorageChange);
+    return () => window.removeEventListener("storage", handleStorageChange);
+  }, [checkAuthState]);
+  useEffect(() => {
+    if (!isBrowser()) return;
+    const handleFocus = () => {
+      checkAuthState();
+    };
+    window.addEventListener("focus", handleFocus);
+    return () => window.removeEventListener("focus", handleFocus);
+  }, [checkAuthState]);
+  return {
+    ...state,
+    refresh,
+    logout,
+    getLoginUrl
+  };
+}
+
+// src/react/useSSOSync.ts
+import { useCallback as useCallback2, useEffect as useEffect2, useRef as useRef2 } from "react";
+function useSSOSync(supabaseSession, config = {}) {
+  const {
+    authGatewayUrl = DEFAULT_AUTH_GATEWAY,
+    projectScope = DEFAULT_PROJECT_SCOPE,
+    onSyncComplete
+  } = config;
+  const lastSyncedTokenRef = useRef2(null);
+  const syncWithGateway = useCallback2(
+    async (session) => {
+      if (!isBrowser()) return false;
+      try {
+        const response = await fetch(
+          `${authGatewayUrl}/v1/auth/token/exchange`,
+          {
+            method: "POST",
+            headers: {
+              Authorization: `Bearer ${session.access_token}`,
+              "Content-Type": "application/json",
+              "X-Project-Scope": projectScope
+            },
+            credentials: "include",
+            // Important: include cookies
+            body: JSON.stringify({
+              project_scope: projectScope,
+              platform: "web"
+            })
+          }
+        );
+        if (!response.ok) {
+          console.warn("[oauth-client] SSO sync failed:", response.status);
+          onSyncComplete?.(false);
+          return false;
+        }
+        const data = await response.json();
+        if (data.cookies_set) {
+          console.log("[oauth-client] SSO cookies set successfully");
+        }
+        onSyncComplete?.(true);
+        return true;
+      } catch (error) {
+        console.error("[oauth-client] SSO sync error:", error);
+        onSyncComplete?.(false);
+        return false;
+      }
+    },
+    [authGatewayUrl, projectScope, onSyncComplete]
+  );
+  const sync = useCallback2(async () => {
+    if (!supabaseSession?.access_token) {
+      console.warn("[oauth-client] Cannot sync: no Supabase session");
+      return false;
+    }
+    return syncWithGateway(supabaseSession);
+  }, [supabaseSession, syncWithGateway]);
+  useEffect2(() => {
+    const token = supabaseSession?.access_token;
+    if (!token || token === lastSyncedTokenRef.current) {
+      return;
+    }
+    lastSyncedTokenRef.current = token;
+    syncWithGateway(supabaseSession);
+  }, [supabaseSession?.access_token, syncWithGateway, supabaseSession]);
+  return {
+    sync,
+    syncWithGateway
+  };
+}
+export {
+  COOKIE_NAMES,
+  DEFAULT_AUTH_GATEWAY,
+  DEFAULT_COOKIE_DOMAIN,
+  DEFAULT_POLL_INTERVAL,
+  DEFAULT_PROJECT_SCOPE,
+  clearUserCookie,
+  hasAuthCookies,
+  hasSessionCookie,
+  isBrowser,
+  parseUserCookie,
+  useSSO,
+  useSSOSync
+};

package/dist/server/index.cjs

@@ -0,0 +1,169 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/server/index.ts
+var server_exports = {};
+__export(server_exports, {
+  COOKIE_NAMES: () => COOKIE_NAMES,
+  DEFAULT_AUTH_GATEWAY: () => DEFAULT_AUTH_GATEWAY,
+  DEFAULT_COOKIE_DOMAIN: () => DEFAULT_COOKIE_DOMAIN,
+  DEFAULT_PROJECT_SCOPE: () => DEFAULT_PROJECT_SCOPE,
+  getSSOUserFromRequest: () => getSSOUserFromRequest,
+  getSessionToken: () => getSessionToken,
+  getSessionTokenFromRequest: () => getSessionTokenFromRequest,
+  hasAuthCookiesServer: () => hasAuthCookiesServer,
+  hasSSOfromRequest: () => hasSSOfromRequest,
+  hasSessionCookieServer: () => hasSessionCookieServer,
+  optionalAuth: () => optionalAuth,
+  parseCookieHeader: () => parseCookieHeader,
+  parseUserCookieServer: () => parseUserCookieServer,
+  requireAuth: () => requireAuth,
+  requireRole: () => requireRole,
+  validateSessionMiddleware: () => validateSessionMiddleware
+});
+module.exports = __toCommonJS(server_exports);
+
+// src/cookies/constants.ts
+var COOKIE_NAMES = {
+  /** HttpOnly JWT session token */
+  SESSION: "lanonasis_session",
+  /** Readable user metadata (JSON) */
+  USER: "lanonasis_user"
+};
+var DEFAULT_COOKIE_DOMAIN = ".lanonasis.com";
+var DEFAULT_AUTH_GATEWAY = "https://auth.lanonasis.com";
+var DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
+
+// src/server/cookie-utils.ts
+function parseCookieHeader(cookieHeader) {
+  if (!cookieHeader) return {};
+  const cookies = {};
+  const pairs = cookieHeader.split(";");
+  for (const pair of pairs) {
+    const [name, ...valueParts] = pair.trim().split("=");
+    if (name) {
+      cookies[name.trim()] = valueParts.join("=").trim();
+    }
+  }
+  return cookies;
+}
+function getSessionToken(cookies) {
+  if (!cookies) return null;
+  const parsed = typeof cookies === "string" ? parseCookieHeader(cookies) : cookies;
+  const token = parsed[COOKIE_NAMES.SESSION];
+  return token || null;
+}
+function parseUserCookieServer(cookies) {
+  if (!cookies) return null;
+  try {
+    const parsed = typeof cookies === "string" ? parseCookieHeader(cookies) : cookies;
+    const userCookie = parsed[COOKIE_NAMES.USER];
+    if (!userCookie) return null;
+    const decoded = decodeURIComponent(userCookie);
+    const user = JSON.parse(decoded);
+    if (!user.id || !user.email || !user.role) {
+      console.warn("[oauth-client/server] Invalid user cookie: missing required fields");
+      return null;
+    }
+    return user;
+  } catch (error) {
+    console.warn("[oauth-client/server] Failed to parse user cookie:", error);
+    return null;
+  }
+}
+function hasSessionCookieServer(cookies) {
+  if (!cookies) return false;
+  const parsed = typeof cookies === "string" ? parseCookieHeader(cookies) : cookies;
+  return COOKIE_NAMES.SESSION in parsed && !!parsed[COOKIE_NAMES.SESSION];
+}
+function hasAuthCookiesServer(cookies) {
+  return hasSessionCookieServer(cookies) && parseUserCookieServer(cookies) !== null;
+}
+function getSSOUserFromRequest(req) {
+  if (req.cookies) {
+    return parseUserCookieServer(req.cookies);
+  }
+  return parseUserCookieServer(req.headers?.cookie);
+}
+function getSessionTokenFromRequest(req) {
+  if (req.cookies) {
+    return getSessionToken(req.cookies);
+  }
+  return getSessionToken(req.headers?.cookie);
+}
+function hasSSOfromRequest(req) {
+  if (req.cookies) {
+    return hasAuthCookiesServer(req.cookies);
+  }
+  return hasAuthCookiesServer(req.headers?.cookie);
+}
+
+// src/server/middleware.ts
+function validateSessionMiddleware(config = {}) {
+  const {
+    cookieDomain = DEFAULT_COOKIE_DOMAIN,
+    allowAnonymous = false
+  } = config;
+  return (req, res, next) => {
+    if (hasSSOfromRequest(req)) {
+      const user = getSSOUserFromRequest(req);
+      if (user) {
+        req.user = user;
+        return next();
+      }
+    }
+    if (allowAnonymous) {
+      return next();
+    }
+    res.clearCookie(COOKIE_NAMES.SESSION, { domain: cookieDomain, path: "/" });
+    res.clearCookie(COOKIE_NAMES.USER, { domain: cookieDomain, path: "/" });
+    return res.status(401).json({
+      error: "Authentication required",
+      code: "AUTH_REQUIRED",
+      login_url: `${config.authGatewayUrl || DEFAULT_AUTH_GATEWAY}/web/login`
+    });
+  };
+}
+function requireAuth(config = {}) {
+  return validateSessionMiddleware({ ...config, allowAnonymous: false });
+}
+function optionalAuth(config = {}) {
+  return validateSessionMiddleware({ ...config, allowAnonymous: true });
+}
+function requireRole(role, config = {}) {
+  const roles = Array.isArray(role) ? role : [role];
+  return (req, res, next) => {
+    if (!req.user) {
+      return res.status(401).json({
+        error: "Authentication required",
+        code: "AUTH_REQUIRED",
+        login_url: `${config.authGatewayUrl || DEFAULT_AUTH_GATEWAY}/web/login`
+      });
+    }
+    if (!roles.includes(req.user.role)) {
+      return res.status(403).json({
+        error: "Insufficient permissions",
+        code: "FORBIDDEN",
+        required_role: roles,
+        current_role: req.user.role
+      });
+    }
+    return next();
+  };
+}