@loka-sms/sso 1.0.0

package/README.md

@@ -0,0 +1,193 @@
+# @loka-sms/sso
+
+SSO utilities, hooks, and components for Loka SMS modules.
+
+**Cookie-first auth** for same-domain apps. **OAuth2 PKCE** for third-party/external apps.
+
+## Install
+
+```bash
+npm install @loka-sms/sso
+```
+
+## Quick Start — Same-Domain App (Cookie-First)
+
+App runs on same domain as Gateway (e.g. `10.7.1.82`). Cookie `sms_ac_token` shared across all ports.
+
+### 1. Setup API client
+
+```ts
+// src/api/client.ts
+import axios from 'axios';
+import { createAuthInterceptor } from '@loka-sms/sso';
+
+const api = axios.create({
+  baseURL: import.meta.env.VITE_API_URL || '/api',
+  withCredentials: true,
+});
+
+api.interceptors.request.use(createAuthInterceptor());
+export default api;
+```
+
+Headers automatically attached:
+
+| Header | Source |
+|--------|--------|
+| `Authorization: Bearer <token>` | Cookie `sms_ac_token` → localStorage fallback |
+| `X-School-ID` | localStorage `school_sms_id` |
+| `X-User-ID` | localStorage `user_id` |
+| `X-User-Role` | localStorage `user_role` |
+| `X-Device-ID` | localStorage `device_sms_id` |
+| `X-Request-ID` | `crypto.randomUUID()` |
+
+### 2. Setup Auth Store
+
+```ts
+// src/stores/authStore.ts
+function getCookie(name: string): string {
+  const match = document.cookie.match(new RegExp('(^| )' + name + '=([^;]+)'));
+  return match ? decodeURIComponent(match[2]) : '';
+}
+
+function rehydrateUser() {
+  const cached = localStorage.getItem('my_user');
+  if (cached) return JSON.parse(cached);
+
+  const token = getCookie('sms_ac_token');
+  if (!token) return null;
+
+  const payload = JSON.parse(atob(token.split('.')[1]));
+  const user = {
+    sub: payload.sub, email: payload.email, fullName: payload.fullName,
+    role: payload.role, schoolId: payload.schoolId || '',
+  };
+  localStorage.setItem('my_user', JSON.stringify(user));
+  return user;
+}
+```
+
+### 3. Add routes
+
+```tsx
+import { OAuthCallback } from '@loka-sms/sso';
+import SignIn from './pages/SignIn';
+
+<Route path="/signin" element={<SignIn />} />
+<Route path="/auth/callback" element={<OAuthCallback clientId="my-module" />} />
+```
+
+### 4. Listen for cross-app logout
+
+```tsx
+import { useCrossAppLogout } from '@loka-sms/sso';
+
+function App() {
+  useCrossAppLogout(); // listens on BroadcastChannel 'loka-sso-logout'
+  // ...
+}
+```
+
+## Quick Start — Third-Party App (OAuth2 PKCE)
+
+App on different domain from Gateway. Full PKCE flow required.
+
+### 1. Redirect user to authorize
+
+```ts
+import { generateCodeVerifier, generateCodeChallenge, generateState } from '@loka-sms/sso';
+
+const verifier = generateCodeVerifier();
+const state = generateState();
+sessionStorage.setItem(`oauth_verifier_${state}`, verifier);
+
+const challenge = await generateCodeChallenge(verifier);
+const params = new URLSearchParams({
+  client_id: 'my-app',
+  redirect_uri: 'https://my-app.com/auth/callback',
+  response_type: 'code',
+  code_challenge: challenge,
+  code_challenge_method: 'S256',
+  state,
+});
+window.location.href = `https://gateway.loka.id/api/oauth/authorize?${params}`;
+```
+
+### 2. Handle callback
+
+```tsx
+import { OAuthCallback } from '@loka-sms/sso';
+
+<Route path="/auth/callback" element={<OAuthCallback clientId="my-app" />} />
+```
+
+Or use the hook directly:
+
+```ts
+import { useOAuthCallback } from '@loka-sms/sso';
+
+function AuthCallback() {
+  const { error, loading, phase } = useOAuthCallback({
+    clientId: 'my-app',
+    apiBase: 'https://gateway.loka.id/api',
+    redirectPath: '/dashboard',
+  });
+  // ...
+}
+```
+
+## API Reference
+
+### Interceptor
+
+| Export | Description |
+|--------|-------------|
+| `createAuthInterceptor()` | Axios request interceptor. Reads token cookie-first, attaches Authorization + context headers. |
+
+### Hooks
+
+| Export | Description |
+|--------|-------------|
+| `useCrossAppLogout()` | Listens on BroadcastChannel `loka-sso-logout`. Clears auth state and redirects to `/signin`. |
+| `useOAuthCallback(input)` | Handles OAuth2 PKCE code exchange. Returns `{ error, loading, phase }`. |
+
+**`useOAuthCallback` input:**
+
+| Field | Type | Default | Description |
+|-------|------|---------|-------------|
+| `clientId` | `string` | required | OAuth2 client ID |
+| `apiBase` | `string` | `'/api'` | Gateway API base URL |
+| `redirectPath` | `string` | `'/'` | Redirect path after success |
+
+### Components
+
+| Export | Description |
+|--------|-------------|
+| `<OAuthCallback clientId />` | Drop-in OAuth2 PKCE callback page. Wraps `useOAuthCallback`. |
+| `<OAuthTransfer />` | **Deprecated.** Legacy token-in-URL handler. Use cookie-first auth instead. |
+
+### PKCE Utilities
+
+| Export | Description |
+|--------|-------------|
+| `generateCodeVerifier()` | Generate cryptographically random code verifier |
+| `generateCodeChallenge(verifier)` | SHA-256 hash → base64url encode |
+| `generateState()` | Generate random state string for CSRF protection |
+| `sha256(input)` | Pure JS SHA-256 implementation |
+
+### Constants
+
+| Export | Description |
+|--------|-------------|
+| `SSO_STORAGE_KEYS` | Standard localStorage key names |
+| `SSO_CHANNELS` | BroadcastChannel names (`loka-sso-logout`, `loka-sso-login`, `loka-school-change`) |
+| `API_HEADERS` | Standard API header names |
+
+## Architecture
+
+```
+Same-domain apps (10.7.1.82:*) → cookie sms_ac_token shared → auto-login
+Third-party apps (external domain) → OAuth2 PKCE → code exchange → token
+```
+
+Cookie `sms_ac_token` is the single source of truth for authentication on same domain. `localStorage` is cache only. See [docs/flow_baru.md](../../docs/flow_baru.md) for full architecture.

package/dist/components/OAuthCallback.d.ts

@@ -0,0 +1,10 @@
+import type { OAuthCallbackInput } from '../hooks/useOAuthCallback';
+export interface OAuthCallbackProps extends Omit<OAuthCallbackInput, 'apiBase' | 'redirectPath'> {
+    apiBase?: string;
+    redirectPath?: string;
+    loadingText?: string;
+    errorText?: string;
+    loginLinkText?: string;
+    loginPath?: string;
+}
+export declare function OAuthCallback({ clientId, apiBase, redirectPath, loadingText, errorText, loginLinkText, loginPath, }: OAuthCallbackProps): import("react/jsx-runtime").JSX.Element;

package/dist/components/OAuthCallback.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthCallback = OAuthCallback;
+const jsx_runtime_1 = require("react/jsx-runtime");
+const useOAuthCallback_1 = require("../hooks/useOAuthCallback");
+function OAuthCallback({ clientId, apiBase, redirectPath, loadingText = 'Menyelesaikan login...', errorText, loginLinkText = 'Kembali ke login', loginPath = '/signin', }) {
+    const { error, loading, phase } = (0, useOAuthCallback_1.useOAuthCallback)({ clientId, apiBase, redirectPath });
+    if (error) {
+        return ((0, jsx_runtime_1.jsx)("div", { className: "flex items-center justify-center min-h-screen", children: (0, jsx_runtime_1.jsxs)("div", { className: "text-center", children: [(0, jsx_runtime_1.jsx)("p", { className: "text-red-500 mb-4", children: errorText || error }), (0, jsx_runtime_1.jsx)("a", { href: loginPath, className: "text-brand-500 hover:text-brand-600", children: loginLinkText })] }) }));
+    }
+    return ((0, jsx_runtime_1.jsx)("div", { className: "flex items-center justify-center min-h-screen", children: (0, jsx_runtime_1.jsx)("p", { className: "text-gray-500", children: loadingText }) }));
+}

package/dist/components/OAuthTransfer.d.ts

@@ -0,0 +1,6 @@
+export interface OAuthTransferProps {
+    apiBase?: string;
+    redirectPath?: string;
+    loginPath?: string;
+}
+export declare function OAuthTransfer({ apiBase, redirectPath, loginPath, }: OAuthTransferProps): import("react/jsx-runtime").JSX.Element;

package/dist/components/OAuthTransfer.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthTransfer = OAuthTransfer;
+const jsx_runtime_1 = require("react/jsx-runtime");
+// DEPRECATED: Cookie-based auth replaces token-in-URL transfer.
+// Kept for backward compatibility with external SSO clients.
+const react_1 = require("react");
+function OAuthTransfer({ apiBase, redirectPath = '/', loginPath = '/signin', }) {
+    const [error, setError] = (0, react_1.useState)('');
+    (0, react_1.useEffect)(() => {
+        const params = new URLSearchParams(window.location.search);
+        const token = params.get('token');
+        const refreshToken = params.get('refreshToken');
+        const base = apiBase || '/api';
+        if (!token) {
+            setError('Token tidak ditemukan.');
+            return;
+        }
+        // 1. Save JWT immediately (no network needed)
+        localStorage.setItem('sms_ac_token', token);
+        if (refreshToken)
+            localStorage.setItem('sms_refresh_token', refreshToken);
+        try {
+            const payload = JSON.parse(atob(token.split('.')[1]));
+            const userObj = {
+                sub: payload.sub, email: payload.email, fullName: payload.fullName,
+                name: payload.fullName, role: payload.role, schoolId: payload.schoolId,
+                features: payload.features || [], accessibleSchools: payload.accessibleSchools || [],
+            };
+            localStorage.setItem('lms_user', JSON.stringify(userObj));
+            localStorage.setItem('user_role', (payload.role || '').toLowerCase());
+            localStorage.setItem('user_id', payload.sub || '');
+            if (payload.schoolId)
+                localStorage.setItem('school_sms_id', payload.schoolId);
+        }
+        catch { /* decode non-critical */ }
+        // 2. Redirect immediately
+        window.location.href = redirectPath;
+        // 3. API calls — fire-and-forget
+        fetch(`${base}/auth/set-cookie`, {
+            method: 'POST', headers: { 'Content-Type': 'application/json' },
+            credentials: 'include',
+            body: JSON.stringify({ token, refreshToken }),
+        }).catch(() => { });
+        fetch(`${base}/auth/me`, {
+            headers: { Authorization: `Bearer ${token}` },
+            credentials: 'include',
+        }).then(r => r.json()).then(d => {
+            const p = d?.data ?? d;
+            if (p) {
+                localStorage.setItem('sms_user_profile', JSON.stringify(p));
+                document.cookie = `sms_user_profile=${encodeURIComponent(JSON.stringify(p))}; path=/; SameSite=Lax`;
+            }
+        }).catch(() => { });
+    }, []);
+    if (error) {
+        return ((0, jsx_runtime_1.jsx)("div", { className: "flex items-center justify-center min-h-screen", children: (0, jsx_runtime_1.jsxs)("div", { className: "text-center", children: [(0, jsx_runtime_1.jsx)("p", { className: "text-red-500 mb-4", children: error }), (0, jsx_runtime_1.jsx)("a", { href: loginPath, children: "Kembali ke login" })] }) }));
+    }
+    return ((0, jsx_runtime_1.jsx)("div", { className: "flex items-center justify-center min-h-screen", children: (0, jsx_runtime_1.jsx)("p", { className: "text-gray-500", children: "Menyelesaikan login..." }) }));
+}

package/dist/constants.d.ts

@@ -0,0 +1,22 @@
+export declare const SSO_STORAGE_KEYS: {
+    readonly ACCESS_TOKEN: "sms_ac_token";
+    readonly REFRESH_TOKEN: "sms_refresh_token";
+    readonly USER_PROFILE: "sms_user_profile";
+    readonly SCHOOL_ID: "school_sms_id";
+    readonly USER_ROLE: "user_role";
+    readonly USER_ID: "user_id";
+    readonly DEVICE_ID: "device_sms_id";
+};
+export declare const SSO_CHANNELS: {
+    readonly LOGOUT: "loka-sso-logout";
+    readonly LOGIN: "loka-sso-login";
+    readonly SCHOOL_CHANGE: "loka-school-change";
+};
+export declare const API_HEADERS: {
+    readonly AUTHORIZATION: "Authorization";
+    readonly SCHOOL_ID: "X-School-ID";
+    readonly USER_ROLE: "X-User-Role";
+    readonly USER_ID: "X-User-Id";
+    readonly DEVICE_ID: "X-Device-ID";
+    readonly REQUEST_ID: "X-Request-ID";
+};

package/dist/constants.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.API_HEADERS = exports.SSO_CHANNELS = exports.SSO_STORAGE_KEYS = void 0;
+exports.SSO_STORAGE_KEYS = {
+    ACCESS_TOKEN: 'sms_ac_token',
+    REFRESH_TOKEN: 'sms_refresh_token',
+    USER_PROFILE: 'sms_user_profile',
+    SCHOOL_ID: 'school_sms_id',
+    USER_ROLE: 'user_role',
+    USER_ID: 'user_id',
+    DEVICE_ID: 'device_sms_id',
+};
+exports.SSO_CHANNELS = {
+    LOGOUT: 'loka-sso-logout',
+    LOGIN: 'loka-sso-login',
+    SCHOOL_CHANGE: 'loka-school-change',
+};
+exports.API_HEADERS = {
+    AUTHORIZATION: 'Authorization',
+    SCHOOL_ID: 'X-School-ID',
+    USER_ROLE: 'X-User-Role',
+    USER_ID: 'X-User-Id',
+    DEVICE_ID: 'X-Device-ID',
+    REQUEST_ID: 'X-Request-ID',
+};

package/dist/hooks/useCrossAppLogout.d.ts

@@ -0,0 +1,6 @@
+interface CrossAppLogoutOptions {
+    onLogout?: () => void;
+    redirectPath?: string;
+}
+export declare function useCrossAppLogout(options?: CrossAppLogoutOptions): void;
+export {};

package/dist/hooks/useCrossAppLogout.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.useCrossAppLogout = useCrossAppLogout;
+const react_1 = require("react");
+function useCrossAppLogout(options) {
+    const redirectPath = options?.redirectPath || '/signin';
+    (0, react_1.useEffect)(() => {
+        const cleanup = [];
+        const bc = new BroadcastChannel('loka-sso-logout');
+        bc.onmessage = () => {
+            options?.onLogout?.();
+            window.location.href = redirectPath;
+        };
+        cleanup.push(() => bc.close());
+        const handler = (event) => {
+            if (event.key === 'sms_ac_token' && !event.newValue) {
+                options?.onLogout?.();
+                window.location.href = redirectPath;
+            }
+        };
+        window.addEventListener('storage', handler);
+        cleanup.push(() => window.removeEventListener('storage', handler));
+        return () => cleanup.forEach((fn) => fn());
+    }, [redirectPath]);
+}

package/dist/hooks/useOAuthCallback.d.ts

@@ -0,0 +1,11 @@
+export interface OAuthCallbackInput {
+    clientId: string;
+    apiBase?: string;
+    redirectPath?: string;
+}
+export interface OAuthCallbackState {
+    error: string | null;
+    loading: boolean;
+    phase: 'init' | 'exchange' | 'legacy' | 'done' | 'error';
+}
+export declare function useOAuthCallback(input: OAuthCallbackInput): OAuthCallbackState;

package/dist/hooks/useOAuthCallback.js

@@ -0,0 +1,112 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.useOAuthCallback = useOAuthCallback;
+const react_1 = require("react");
+const processedMarkers = new Set();
+function saveJwt(token, refreshToken) {
+    localStorage.setItem('sms_ac_token', token);
+    if (refreshToken)
+        localStorage.setItem('sms_refresh_token', refreshToken);
+    try {
+        const payload = JSON.parse(atob(token.split('.')[1]));
+        const userObj = {
+            sub: payload.sub, email: payload.email, fullName: payload.fullName,
+            name: payload.fullName, role: payload.role, schoolId: payload.schoolId,
+            features: payload.features || [], accessibleSchools: payload.accessibleSchools || [],
+        };
+        localStorage.setItem('lms_user', JSON.stringify(userObj));
+        localStorage.setItem('user_role', (payload.role || '').toLowerCase());
+        localStorage.setItem('user_id', payload.sub || '');
+        if (payload.schoolId)
+            localStorage.setItem('school_sms_id', payload.schoolId);
+    }
+    catch { /* decode non-critical */ }
+}
+function useOAuthCallback(input) {
+    const [state, setState] = (0, react_1.useState)({ error: null, loading: true, phase: 'init' });
+    (0, react_1.useEffect)(() => {
+        const params = new URLSearchParams(window.location.search);
+        const code = params.get('code');
+        const oauthState = params.get('state');
+        const token = params.get('token');
+        const refreshToken = params.get('refresh_token') || params.get('refreshToken');
+        const apiBase = input.apiBase || '/api';
+        const marker = code || token || '';
+        if (processedMarkers.has(marker))
+            return;
+        processedMarkers.add(marker);
+        // init=1 auto-PKCE trigger removed — cross-app auth now uses shared cookie.
+        // OAuth2 PKCE flow is still available for external/third-party apps via manual redirect.
+        if (!code && !token) {
+            setState({ error: 'Token tidak ditemukan.', loading: false, phase: 'error' });
+            return;
+        }
+        // Phase 2 & 3 — Save JWT FIRST, then redirect (API calls fire-and-forget)
+        (async () => {
+            let accessToken = token || '';
+            let refreshTok = refreshToken || '';
+            try {
+                if (code) {
+                    setState({ error: null, loading: true, phase: 'exchange' });
+                    const codeVerifier = sessionStorage.getItem(`oauth_verifier_${oauthState || ''}`) || '';
+                    sessionStorage.removeItem(`oauth_verifier_${oauthState || ''}`);
+                    let res = await fetch(`${apiBase}/oauth/token`, {
+                        method: 'POST',
+                        headers: { 'Content-Type': 'application/json' },
+                        credentials: 'include',
+                        body: JSON.stringify({ grant_type: 'authorization_code', code, code_verifier: codeVerifier }),
+                    });
+                    // Development fallback: retry without code_verifier if PKCE fails
+                    if (!res.ok && !codeVerifier) {
+                        res = await fetch(`${apiBase}/oauth/token`, {
+                            method: 'POST',
+                            headers: { 'Content-Type': 'application/json' },
+                            credentials: 'include',
+                            body: JSON.stringify({ grant_type: 'authorization_code', code }),
+                        });
+                    }
+                    if (!res.ok)
+                        throw new Error('Token exchange failed');
+                    const d = await res.json();
+                    accessToken = d.access_token;
+                    refreshTok = d.refresh_token || '';
+                }
+                else {
+                    setState({ error: null, loading: true, phase: 'legacy' });
+                    accessToken = token;
+                    refreshTok = refreshToken || '';
+                }
+                // 1. Save token from JWT decode FIRST — no network needed
+                saveJwt(accessToken, refreshTok);
+                // 2. Redirect immediately — don't wait for API calls
+                setState({ error: null, loading: false, phase: 'done' });
+                window.location.href = input.redirectPath || '/';
+            }
+            catch {
+                // Even if token exchange fails, saved token from JWT decode might still exist
+                if (accessToken)
+                    saveJwt(accessToken, refreshTok);
+                setState({ error: 'Gagal menyelesaikan login. Silakan coba lagi.', loading: false, phase: 'error' });
+            }
+            // 3. API calls — fire-and-forget (non-blocking)
+            if (accessToken) {
+                fetch(`${apiBase}/auth/set-cookie`, {
+                    method: 'POST', headers: { 'Content-Type': 'application/json' },
+                    credentials: 'include',
+                    body: JSON.stringify({ token: accessToken, refreshToken: refreshTok }),
+                }).catch(() => { });
+                fetch(`${apiBase}/auth/me`, {
+                    headers: { Authorization: `Bearer ${accessToken}` },
+                    credentials: 'include',
+                }).then(r => r.json()).then(d => {
+                    const p = d?.data ?? d;
+                    if (p) {
+                        localStorage.setItem('sms_user_profile', JSON.stringify(p));
+                        document.cookie = `sms_user_profile=${encodeURIComponent(JSON.stringify(p))}; path=/; SameSite=Lax`;
+                    }
+                }).catch(() => { });
+            }
+        })();
+    }, []);
+    return state;
+}

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+export { sha256 } from './sha256';
+export { generateCodeVerifier, generateCodeChallenge, generateState, } from './pkce';
+export { SSO_STORAGE_KEYS, SSO_CHANNELS, API_HEADERS, } from './constants';
+export { createAuthInterceptor } from './interceptor';
+export { useOAuthCallback } from './hooks/useOAuthCallback';
+export { useCrossAppLogout } from './hooks/useCrossAppLogout';
+export { OAuthCallback } from './components/OAuthCallback';
+export type { OAuthCallbackProps } from './components/OAuthCallback';
+export { OAuthTransfer } from './components/OAuthTransfer';
+export type { OAuthTransferProps } from './components/OAuthTransfer';

package/dist/index.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthTransfer = exports.OAuthCallback = exports.useCrossAppLogout = exports.useOAuthCallback = exports.createAuthInterceptor = exports.API_HEADERS = exports.SSO_CHANNELS = exports.SSO_STORAGE_KEYS = exports.generateState = exports.generateCodeChallenge = exports.generateCodeVerifier = exports.sha256 = void 0;
+var sha256_1 = require("./sha256");
+Object.defineProperty(exports, "sha256", { enumerable: true, get: function () { return sha256_1.sha256; } });
+var pkce_1 = require("./pkce");
+Object.defineProperty(exports, "generateCodeVerifier", { enumerable: true, get: function () { return pkce_1.generateCodeVerifier; } });
+Object.defineProperty(exports, "generateCodeChallenge", { enumerable: true, get: function () { return pkce_1.generateCodeChallenge; } });
+Object.defineProperty(exports, "generateState", { enumerable: true, get: function () { return pkce_1.generateState; } });
+var constants_1 = require("./constants");
+Object.defineProperty(exports, "SSO_STORAGE_KEYS", { enumerable: true, get: function () { return constants_1.SSO_STORAGE_KEYS; } });
+Object.defineProperty(exports, "SSO_CHANNELS", { enumerable: true, get: function () { return constants_1.SSO_CHANNELS; } });
+Object.defineProperty(exports, "API_HEADERS", { enumerable: true, get: function () { return constants_1.API_HEADERS; } });
+var interceptor_1 = require("./interceptor");
+Object.defineProperty(exports, "createAuthInterceptor", { enumerable: true, get: function () { return interceptor_1.createAuthInterceptor; } });
+var useOAuthCallback_1 = require("./hooks/useOAuthCallback");
+Object.defineProperty(exports, "useOAuthCallback", { enumerable: true, get: function () { return useOAuthCallback_1.useOAuthCallback; } });
+var useCrossAppLogout_1 = require("./hooks/useCrossAppLogout");
+Object.defineProperty(exports, "useCrossAppLogout", { enumerable: true, get: function () { return useCrossAppLogout_1.useCrossAppLogout; } });
+var OAuthCallback_1 = require("./components/OAuthCallback");
+Object.defineProperty(exports, "OAuthCallback", { enumerable: true, get: function () { return OAuthCallback_1.OAuthCallback; } });
+var OAuthTransfer_1 = require("./components/OAuthTransfer");
+Object.defineProperty(exports, "OAuthTransfer", { enumerable: true, get: function () { return OAuthTransfer_1.OAuthTransfer; } });

package/dist/interceptor.d.ts

@@ -0,0 +1 @@
+export declare function createAuthInterceptor(): (config: any) => any;

package/dist/interceptor.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuthInterceptor = createAuthInterceptor;
+const constants_1 = require("./constants");
+function getCookie(name) {
+    const match = document.cookie.match(new RegExp('(^| )' + name + '=([^;]+)'));
+    return match ? decodeURIComponent(match[2]) : '';
+}
+function createAuthInterceptor() {
+    return (config) => {
+        const token = getCookie(constants_1.SSO_STORAGE_KEYS.ACCESS_TOKEN) || localStorage.getItem(constants_1.SSO_STORAGE_KEYS.ACCESS_TOKEN);
+        if (token) {
+            config.headers[constants_1.API_HEADERS.AUTHORIZATION] = `Bearer ${token}`;
+        }
+        const schoolId = localStorage.getItem(constants_1.SSO_STORAGE_KEYS.SCHOOL_ID) || getCookie('sms_school_id');
+        if (schoolId) {
+            config.headers[constants_1.API_HEADERS.SCHOOL_ID] = schoolId;
+        }
+        config.headers[constants_1.API_HEADERS.USER_ID] = localStorage.getItem(constants_1.SSO_STORAGE_KEYS.USER_ID) || '';
+        config.headers[constants_1.API_HEADERS.USER_ROLE] = localStorage.getItem(constants_1.SSO_STORAGE_KEYS.USER_ROLE) || '';
+        config.headers[constants_1.API_HEADERS.DEVICE_ID] = localStorage.getItem(constants_1.SSO_STORAGE_KEYS.DEVICE_ID) || 'web-unknown';
+        config.headers[constants_1.API_HEADERS.REQUEST_ID] = crypto.randomUUID();
+        return config;
+    };
+}

package/dist/pkce.d.ts

@@ -0,0 +1,3 @@
+export declare function generateCodeVerifier(): string;
+export declare function generateCodeChallenge(verifier: string): Promise<string>;
+export declare function generateState(): string;

package/dist/pkce.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateCodeVerifier = generateCodeVerifier;
+exports.generateCodeChallenge = generateCodeChallenge;
+exports.generateState = generateState;
+const sha256_1 = require("./sha256");
+function base64url(buf) {
+    return btoa(String.fromCharCode(...new Uint8Array(buf)))
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+function generateCodeVerifier() {
+    const array = new Uint8Array(64);
+    crypto.getRandomValues(array);
+    return base64url(array.buffer);
+}
+async function generateCodeChallenge(verifier) {
+    const digest = await (0, sha256_1.sha256)(verifier);
+    return base64url(digest);
+}
+function generateState() {
+    const array = new Uint8Array(16);
+    crypto.getRandomValues(array);
+    return Array.from(array, b => b.toString(36).padStart(2, '0')).join('');
+}

package/dist/sha256.d.ts

@@ -0,0 +1 @@
+export declare function sha256(message: string): Promise<ArrayBuffer>;

package/dist/sha256.js

@@ -0,0 +1,107 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sha256 = sha256;
+// Pure JS SHA-256 implementation — verified against FIPS-180-4 test vectors
+async function sha256(message) {
+    const data = new TextEncoder().encode(message);
+    if (typeof crypto !== 'undefined' && crypto.subtle) {
+        return crypto.subtle.digest('SHA-256', data);
+    }
+    return pureJsSha256(data);
+}
+/* ---------- Pure JS SHA-256 (RFC 6234) ---------- */
+const K = new Uint32Array([
+    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
+    0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
+    0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
+    0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
+    0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
+    0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
+    0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
+    0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
+    0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,
+]);
+function safeAdd(x, y) {
+    return (x + y) | 0;
+}
+function sigma0(x) {
+    return ((x >>> 7) | (x << 25)) ^ ((x >>> 18) | (x << 14)) ^ (x >>> 3);
+}
+function sigma1(x) {
+    return ((x >>> 17) | (x << 15)) ^ ((x >>> 19) | (x << 13)) ^ (x >>> 10);
+}
+function Sig0(x) {
+    return ((x >>> 2) | (x << 30)) ^ ((x >>> 13) | (x << 19)) ^ ((x >>> 22) | (x << 10));
+}
+function Sig1(x) {
+    return ((x >>> 6) | (x << 26)) ^ ((x >>> 11) | (x << 21)) ^ ((x >>> 25) | (x << 7));
+}
+function Ch(x, y, z) {
+    return (x & y) ^ (~x & z);
+}
+function Maj(x, y, z) {
+    return (x & y) ^ (x & z) ^ (y & z);
+}
+function pureJsSha256(data) {
+    // Message padding
+    const bitLen = data.length * 8;
+    const padLen = (((data.length + 9 + 63) >>> 6) << 6);
+    const pad = new Uint8Array(padLen);
+    pad.set(data);
+    pad[data.length] = 0x80;
+    const dv = new DataView(pad.buffer);
+    dv.setUint32(padLen - 4, bitLen >>> 0, false);
+    dv.setUint32(padLen - 8, Math.floor(bitLen / 0x100000000), false);
+    // Initial hash values
+    let H0 = 0x6a09e667, H1 = 0xbb67ae85, H2 = 0x3c6ef372, H3 = 0xa54ff53a;
+    let H4 = 0x510e527f, H5 = 0x9b05688c, H6 = 0x1f83d9ab, H7 = 0x5be0cd19;
+    const W = new Uint32Array(64);
+    for (let block = 0; block < padLen; block += 64) {
+        for (let t = 0; t < 16; t++) {
+            W[t] = dv.getUint32(block + t * 4, false);
+        }
+        for (let t = 16; t < 64; t++) {
+            W[t] = safeAdd(safeAdd(safeAdd(sigma1(W[t - 2]), W[t - 7]), sigma0(W[t - 15])), W[t - 16]);
+        }
+        let a = H0, b = H1, c = H2, d = H3;
+        let e = H4, f = H5, g = H6, h = H7;
+        for (let t = 0; t < 64; t++) {
+            const T1 = safeAdd(safeAdd(safeAdd(safeAdd(h, Sig1(e)), Ch(e, f, g)), K[t]), W[t]);
+            const T2 = safeAdd(Sig0(a), Maj(a, b, c));
+            h = g;
+            g = f;
+            f = e;
+            e = safeAdd(d, T1);
+            d = c;
+            c = b;
+            b = a;
+            a = safeAdd(T1, T2);
+        }
+        H0 = safeAdd(H0, a);
+        H1 = safeAdd(H1, b);
+        H2 = safeAdd(H2, c);
+        H3 = safeAdd(H3, d);
+        H4 = safeAdd(H4, e);
+        H5 = safeAdd(H5, f);
+        H6 = safeAdd(H6, g);
+        H7 = safeAdd(H7, h);
+    }
+    const result = new Uint8Array(32);
+    const resView = new DataView(result.buffer);
+    resView.setUint32(0, H0 >>> 0, false);
+    resView.setUint32(4, H1 >>> 0, false);
+    resView.setUint32(8, H2 >>> 0, false);
+    resView.setUint32(12, H3 >>> 0, false);
+    resView.setUint32(16, H4 >>> 0, false);
+    resView.setUint32(20, H5 >>> 0, false);
+    resView.setUint32(24, H6 >>> 0, false);
+    resView.setUint32(28, H7 >>> 0, false);
+    return result.buffer;
+}

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "@loka-sms/sso",
+  "version": "1.0.0",
+  "description": "SSO utilities, hooks, and components for Loka SMS modules (OAuth2 PKCE, cross-app logout)",
+  "license": "MIT",
+  "type": "commonjs",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist/"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "prepublishOnly": "npm run build"
+  },
+  "peerDependencies": {
+    "axios": "^1.0.0",
+    "react": "^18.0.0 || ^19.0.0",
+    "react-router": "^7.0.0"
+  },
+  "devDependencies": {
+    "@types/react": "^19.2.14",
+    "typescript": "^5.9.3"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://pd2-git-immersive.erlangga.id/team-immersive-pd2/project-sms/packages/loka-sms-sso.git"
+  },
+  "keywords": [
+    "loka",
+    "sso",
+    "oauth2",
+    "pkce",
+    "react"
+  ],
+  "dependencies": {}
+}