@last1id/sdk 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,8 @@
+# Changelog
+
+## 0.1.0
+
+- Initial publishable SDK skeleton.
+- PKCE helper support.
+- Authorize URL generation.
+- Token exchange and refresh helpers.

package/README.md

@@ -0,0 +1,38 @@
+# @last1id/sdk
+
+Zero-to-login SDK for Last1 ID OIDC Authorization Code + PKCE.
+
+## Install
+
+```bash
+npm install @last1id/sdk
+```
+
+## Usage
+
+```ts
+import { createPkcePair, buildAuthorizeUrl, exchangeCode } from "@last1id/sdk";
+
+const pkce = await createPkcePair();
+const authorizeUrl = buildAuthorizeUrl(
+  {
+    issuerUrl: "https://id.last1.com",
+    clientId: process.env.LAST1_CLIENT_ID!,
+    redirectUri: "https://app.example.com/auth/callback",
+    scopes: ["openid", "profile", "offline_access"]
+  },
+  pkce
+);
+
+// Redirect user to authorizeUrl, then exchange code in callback route.
+const tokenSet = await exchangeCode({
+  issuerUrl: "https://id.last1.com",
+  clientId: process.env.LAST1_CLIENT_ID!,
+  clientSecret: process.env.LAST1_CLIENT_SECRET!,
+  redirectUri: "https://app.example.com/auth/callback",
+  code: "AUTH_CODE",
+  codeVerifier: pkce.codeVerifier
+});
+```
+
+> `createPkcePair()` uses Web Crypto and returns a Promise. It works in modern browsers and Node 20+.

package/dist/index.d.ts

@@ -0,0 +1,36 @@
+export interface PkcePair {
+  codeVerifier: string;
+  codeChallenge: string;
+  codeChallengeMethod: "S256";
+}
+
+export interface AuthorizeOptions {
+  issuerUrl: string;
+  clientId: string;
+  redirectUri: string;
+  scopes?: string[];
+  state?: string;
+  nonce?: string;
+}
+
+export interface TokenExchangeOptions {
+  issuerUrl: string;
+  clientId: string;
+  redirectUri: string;
+  code: string;
+  codeVerifier: string;
+  clientSecret?: string;
+}
+
+export interface RefreshTokenOptions {
+  issuerUrl: string;
+  clientId: string;
+  refreshToken: string;
+  clientSecret?: string;
+}
+
+export declare function createPkcePair(): Promise<PkcePair>;
+export declare function fetchDiscovery(issuerUrl: string): Promise<Record<string, unknown>>;
+export declare function buildAuthorizeUrl(options: AuthorizeOptions, pkce: PkcePair): string;
+export declare function exchangeCode(options: TokenExchangeOptions): Promise<Record<string, unknown>>;
+export declare function refreshToken(options: RefreshTokenOptions): Promise<Record<string, unknown>>;

package/dist/index.js

@@ -0,0 +1,85 @@
+function getWebCrypto() {
+  const c = globalThis.crypto;
+  if (!c?.getRandomValues || !c?.subtle) {
+    throw new Error("Web Crypto API is required (Node 20+ or modern browser)");
+  }
+  return c;
+}
+
+function base64UrlEncode(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64url");
+  }
+  let binary = "";
+  for (const byte of bytes) binary += String.fromCharCode(byte);
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+
+function randomToken(bytes = 32) {
+  const arr = new Uint8Array(bytes);
+  getWebCrypto().getRandomValues(arr);
+  return base64UrlEncode(arr);
+}
+
+export async function createPkcePair() {
+  const codeVerifier = randomToken(48);
+  const input = new TextEncoder().encode(codeVerifier);
+  const digest = await getWebCrypto().subtle.digest("SHA-256", input);
+  const codeChallenge = base64UrlEncode(new Uint8Array(digest));
+  return { codeVerifier, codeChallenge, codeChallengeMethod: "S256" };
+}
+
+export async function fetchDiscovery(issuerUrl) {
+  const issuer = issuerUrl.replace(/\/$/, "");
+  const response = await fetch(`${issuer}/.well-known/openid-configuration`);
+  if (!response.ok) throw new Error(`Discovery failed (${response.status})`);
+  return response.json();
+}
+
+export function buildAuthorizeUrl(options, pkce) {
+  const params = new URLSearchParams({
+    response_type: "code",
+    client_id: options.clientId,
+    redirect_uri: options.redirectUri,
+    scope: (options.scopes?.length ? options.scopes : ["openid", "profile", "offline_access"]).join(" "),
+    state: options.state ?? randomToken(24),
+    nonce: options.nonce ?? randomToken(24),
+    code_challenge: pkce.codeChallenge,
+    code_challenge_method: pkce.codeChallengeMethod
+  });
+  return `${options.issuerUrl.replace(/\/$/, "")}/oauth/authorize?${params.toString()}`;
+}
+
+export async function exchangeCode(options) {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code: options.code,
+    redirect_uri: options.redirectUri,
+    client_id: options.clientId,
+    code_verifier: options.codeVerifier
+  });
+  if (options.clientSecret) body.set("client_secret", options.clientSecret);
+  const response = await fetch(`${options.issuerUrl.replace(/\/$/, "")}/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body
+  });
+  if (!response.ok) throw new Error(`Token exchange failed (${response.status})`);
+  return response.json();
+}
+
+export async function refreshToken(options) {
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: options.refreshToken,
+    client_id: options.clientId
+  });
+  if (options.clientSecret) body.set("client_secret", options.clientSecret);
+  const response = await fetch(`${options.issuerUrl.replace(/\/$/, "")}/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body
+  });
+  if (!response.ok) throw new Error(`Refresh token failed (${response.status})`);
+  return response.json();
+}

package/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "@last1id/sdk",
+  "version": "0.1.0",
+  "description": "Zero-to-login OIDC SDK for Last1 ID",
+  "license": "MIT",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "CHANGELOG.md"
+  ],
+  "keywords": [
+    "oidc",
+    "oauth2",
+    "pkce",
+    "last1"
+  ]
+}