@meistrari/auth-core 0.1.1 → 1.1.0

package/dist/index.mjs

@@ -1,29 +1,12 @@
 import { createRemoteJWKSet, jwtVerify } from 'jose';
-import { createAuthClient as createAuthClient$1 } from 'better-auth/client';
-import { organizationClient } from 'better-auth/client/plugins';
+import { createAuthClient } from 'better-auth/client';
+import { organizationClient, twoFactorClient, jwtClient, adminClient, inferAdditionalFields } from 'better-auth/client/plugins';
 import { ssoClient } from '@better-auth/sso/client';
 import { createAccessControl } from 'better-auth/plugins/access';
 import { defaultStatements } from 'better-auth/plugins/organization/access';
 
-const version = "0.1.1";
+const version = "1.1.0";
 
-function isTokenExpired(token) {
-  const payload = JSON.parse(atob(token.split(".")[1] ?? ""));
-  return payload.exp && Date.now() / 1e3 > payload.exp;
-}
-async function validateToken(token, apiUrl) {
-  try {
-    const JWKS = createRemoteJWKSet(
-      new URL(`${apiUrl}/api/auth/jwks`)
-    );
-    await jwtVerify(token, JWKS, {
-      issuer: apiUrl
-    });
-    return true;
-  } catch (error) {
-    return false;
-  }
-}
 const statements = {
   ...defaultStatements,
   access: ["admin", "member", "reviewer"]
@@ -49,15 +32,54 @@ const rolesAccessControl = {
     access: ["reviewer"]
   })
 };
+const userAdditionalFields = {
+  lastActiveAt: {
+    type: "date",
+    required: false,
+    defaultValue: null
+  }
+};
+const organizationAdditionalFields = {
+  settings: {
+    type: "json",
+    input: true,
+    required: false
+  }
+};
+
+class BaseError extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+  }
+}
+
+class InvalidSocialProvider extends BaseError {
+  constructor(message) {
+    super("INVALID_SOCIAL_PROVIDER", message);
+  }
+}
+class InvalidCallbackURL extends BaseError {
+  constructor(message) {
+    super("INVALID_CALLBACK_URL", message);
+  }
+}
+class EmailRequired extends BaseError {
+  constructor(message) {
+    super("EMAIL_REQUIRED", message);
+  }
+}
+
 const customEndpointsPluginClient = () => {
   return {
     id: "custom-endpoints",
     $InferServerPlugin: {}
   };
 };
-function createAuthClient(baseURL) {
-  return createAuthClient$1({
-    baseURL,
+function createAPIClient(apiUrl, headers) {
+  return createAuthClient({
+    baseURL: apiUrl,
     plugins: [
       organizationClient({
         ac,
@@ -65,17 +87,469 @@ function createAuthClient(baseURL) {
         teams: {
           enabled: true
         }
+        //  TODO: check if this is fixed in the next version
+        // schema: inferOrgAdditionalFields({
+        //     organization: {
+        //         additionalFields: {
+        //             settings: {
+        //                 type: 'json' as const,
+        //                 input: true,
+        //                 required: false,
+        //             }
+        //         },
+        //     }
+        // })
       }),
       customEndpointsPluginClient(),
-      ssoClient()
+      ssoClient(),
+      twoFactorClient(),
+      jwtClient(),
+      adminClient(),
+      inferAdditionalFields({
+        user: userAdditionalFields
+      })
     ],
     fetchOptions: {
       credentials: "include",
       headers: {
-        "User-Agent": `auth-sdk:${version}`
-      }
+        "User-Agent": `auth-sdk:core:${version}`,
+        ...headers
+      },
+      throw: true
     }
   });
 }
+createAPIClient("");
+
+class OrganizationService {
+  /**
+   * Creates a new OrganizationService instance.
+   *
+   * @param client - The API client for making organization requests
+   */
+  constructor(client) {
+    this.client = client;
+  }
+  /**
+   * Retrieves a single organization by ID with optional related data.
+   *
+   * @param id - The organization ID
+   * @param options - Configuration for including related data
+   * @param options.includeMembers - Include organization members
+   * @param options.includeInvitations - Include pending invitations
+   * @param options.includeTeams - Include organization teams
+   * @returns The organization with optionally included related data
+   */
+  async getOrganization(id, options) {
+    const organizationPromise = this.client.organization.list({
+      query: {
+        id
+      }
+    });
+    const membersPromise = options?.includeMembers ? this.client.organization.listMembers({
+      query: {
+        organizationId: id
+      }
+    }) : void 0;
+    const invitationsPromise = options?.includeInvitations ? this.client.organization.listInvitations({
+      query: {
+        organizationId: id
+      }
+    }) : void 0;
+    const teamsPromise = options?.includeTeams ? this.client.organization.listTeams({
+      query: {
+        organizationId: id
+      }
+    }) : void 0;
+    const [organization, members, invitations, teams] = await Promise.all([organizationPromise, membersPromise, invitationsPromise, teamsPromise]);
+    return {
+      ...organization[0],
+      ...members && { members: members.members },
+      ...invitations && { invitations },
+      ...teams && { teams }
+    };
+  }
+  /**
+   * Lists all organizations accessible to the current user.
+   *
+   * @returns An array of organizations
+   */
+  async listOrganizations() {
+    const organizations = await this.client.organization.list();
+    return organizations;
+  }
+  /**
+   * Sets the active organization for the current user session.
+   *
+   * @param id - The organization ID to set as active
+   */
+  async setActiveOrganization(id) {
+    await this.client.organization.setActive({
+      organizationId: id
+    });
+  }
+  /**
+   * Updates an organization's details.
+   *
+   * @param payload - The organization fields to update
+   * @param payload.name - New organization name
+   * @param payload.logo - New organization logo URL
+   * @param payload.settings - New organization settings
+   * @returns The updated organization
+   */
+  async updateOrganization(payload) {
+    const organization = await this.client.organization.update({
+      data: {
+        ...payload,
+        logo: payload.logo ?? void 0
+      }
+    });
+    return organization;
+  }
+  /**
+   * Lists members of the active organization with optional pagination.
+   *
+   * @param options - Pagination options
+   * @param options.limit - Maximum number of members to return
+   * @param options.offset - Number of members to skip
+   * @returns An array of organization members
+   */
+  async listMembers(options) {
+    const members = await this.client.organization.listMembers({
+      query: options
+    });
+    return members.members;
+  }
+  /**
+   * Gets the currently active organization member for the authenticated user.
+   *
+   * @returns The active member object
+   */
+  async getActiveMember() {
+    return this.client.organization.getActiveMember();
+  }
+  /**
+   * Invites a user to join the active organization.
+   *
+   * @param options - Invitation configuration
+   * @param options.userEmail - Email address of the user to invite
+   * @param options.role - Role to assign to the invited user
+   * @param options.teamId - Team ID to add the user to
+   * @param options.resend - Whether to resend if invitation already exists
+   * @returns The created invitation
+   */
+  async inviteUserToOrganization({ userEmail, role, teamId, resend }) {
+    return this.client.organization.inviteMember({
+      email: userEmail,
+      role,
+      teamId,
+      resend: resend ?? false
+    });
+  }
+  /**
+   * Cancels a pending organization invitation.
+   *
+   * @param id - The invitation ID to cancel
+   */
+  async cancelInvitation(id) {
+    await this.client.organization.cancelInvitation({
+      invitationId: id
+    });
+  }
+  /**
+   * Accepts an organization invitation.
+   *
+   * @param id - The invitation ID to accept
+   */
+  async acceptInvitation(id) {
+    await this.client.organization.acceptInvitation({
+      invitationId: id
+    });
+  }
+  /**
+       * Removes a user from the active organization.
+       *
+       * @param options - User identifier (either memberId or userEmail must be provided)
+       * @param options.memberId - The member ID to remove
+       * @param options.userEmail - The user email to remove
+  
+       */
+  async removeUserFromOrganization({ memberId, userEmail }) {
+    await this.client.organization.removeMember({
+      memberIdOrEmail: memberId ?? userEmail
+    });
+  }
+  /**
+   * Updates the role of an organization member.
+   *
+   * @param options - Role update configuration
+   * @param options.memberId - The member ID to update
+   * @param options.role - The new role to assign
+   */
+  async updateMemberRole({ memberId, role }) {
+    await this.client.organization.updateMemberRole({
+      memberId,
+      role
+    });
+  }
+  /**
+   * Creates a new team within the active organization.
+   *
+   * @param payload - Team configuration
+   * @param payload.name - The name of the team
+   * @returns The created team
+   */
+  async createTeam(payload) {
+    return this.client.organization.createTeam(payload);
+  }
+  /**
+   * Updates an existing team's details.
+   *
+   * @param id - The team ID to update
+   * @param payload - Team fields to update
+   * @param payload.name - The new team name
+   * @returns The updated team
+   */
+  async updateTeam(id, payload) {
+    return this.client.organization.updateTeam({
+      teamId: id,
+      data: payload
+    });
+  }
+  /**
+   * Deletes a team from the active organization.
+   *
+   * @param id - The team ID to delete
+   */
+  async deleteTeam(id) {
+    await this.client.organization.removeTeam({
+      teamId: id
+    });
+  }
+  /**
+   * Lists all teams in the active organization.
+   *
+   * @returns An array of teams
+   */
+  async listTeams() {
+    return this.client.organization.listTeams();
+  }
+  /**
+   * Lists all members of a specific team.
+   *
+   * @param id - The team ID
+   * @returns An array of team members
+   */
+  async listTeamMembers(id) {
+    return this.client.organization.listTeamMembers({
+      query: {
+        teamId: id
+      }
+    });
+  }
+  /**
+   * Adds a user to a team.
+   *
+   * @param teamId - The team ID
+   * @param userId - The user ID to add
+   */
+  async addTeamMember(teamId, userId) {
+    await this.client.organization.addTeamMember({
+      teamId,
+      userId
+    });
+  }
+  /**
+   * Removes a user from a team.
+   *
+   * @param teamId - The team ID
+   * @param userId - The user ID to remove
+   */
+  async removeTeamMember(teamId, userId) {
+    await this.client.organization.removeTeamMember({
+      teamId,
+      userId
+    });
+  }
+}
+
+function isValidUrl(url) {
+  try {
+    new URL(url);
+    return true;
+  } catch (error) {
+    return false;
+  }
+}
+class SessionService {
+  /**
+   * Creates a new SessionService instance.
+   *
+   * @param client - The API client for making authentication requests
+   * @param apiUrl - The base URL of the authentication API
+   */
+  constructor(client, apiUrl) {
+    this.client = client;
+    this.apiUrl = apiUrl;
+  }
+  /**
+   * Initiates social authentication flow with Google or Microsoft.
+   *
+   * @param options - Social sign-in configuration
+   * @param options.provider - The social provider
+   * @param options.callbackURL - URL to redirect to after successful authentication
+   * @param options.errorCallbackURL - URL to redirect to on error
+   *
+   * @throws {InvalidSocialProvider} When the provider is not 'google' or 'microsoft'
+   * @throws {InvalidCallbackURL} When callback URLs are malformed
+   */
+  async signInWithSocialProvider({
+    provider,
+    callbackURL,
+    errorCallbackURL
+  }) {
+    if (provider !== "google" && provider !== "microsoft") {
+      throw new InvalidSocialProvider("Invalid social provider");
+    }
+    if (!isValidUrl(callbackURL)) {
+      throw new InvalidCallbackURL(`Invalid callback URL: ${callbackURL}`);
+    }
+    if (errorCallbackURL && !isValidUrl(errorCallbackURL)) {
+      throw new InvalidCallbackURL(`Invalid error callback URL: ${errorCallbackURL}`);
+    }
+    const appUrl = encodeURIComponent(new URL(callbackURL).origin);
+    await this.client.signIn.social({
+      provider,
+      callbackURL,
+      errorCallbackURL: errorCallbackURL ?? `${this.apiUrl}/error?callbackURL=${appUrl}`
+    });
+  }
+  /**
+   * Initiates SAML-based Single Sign-On authentication flow.
+   *
+   * @param options - SAML sign-in configuration
+   * @param options.email - User's email to determine the SAML provider
+   * @param options.callbackURL - URL to redirect to after successful authentication
+   * @param options.errorCallbackURL - URL to redirect to on error
+   *
+   * @throws {EmailRequired} When email is not provided
+   * @throws {InvalidCallbackURL} When callback URLs are malformed
+   */
+  async signInWithSaml({
+    email,
+    callbackURL,
+    errorCallbackURL
+  }) {
+    if (!email) {
+      throw new EmailRequired("Email is required");
+    }
+    if (!isValidUrl(callbackURL)) {
+      throw new InvalidCallbackURL(`Invalid callback URL: ${callbackURL}`);
+    }
+    if (errorCallbackURL && !isValidUrl(errorCallbackURL)) {
+      throw new InvalidCallbackURL(`Invalid error callback URL: ${errorCallbackURL}`);
+    }
+    const appUrl = encodeURIComponent(new URL(callbackURL).origin);
+    await this.client.signIn.sso({
+      email,
+      callbackURL,
+      errorCallbackURL: errorCallbackURL ?? `${this.apiUrl}/error?callbackURL=${appUrl}`,
+      providerType: "saml"
+    });
+  }
+  /**
+   * Authenticates a user with email and password credentials.
+   *
+   * @param options - Email/password sign-in configuration
+   * @param options.email - User's email address
+   * @param options.password - User's password
+   */
+  async signInWithEmailAndPassword({
+    email,
+    password
+  }) {
+    await this.client.signIn.email({
+      email,
+      password
+    });
+  }
+  /**
+   * Signs out the currently authenticated user.
+   *
+   * @param callback - Callback function to execute after signing out
+   */
+  async signOut(callback) {
+    await this.client.signOut();
+    await callback?.();
+  }
+  /**
+   * Initiates a password reset request by sending a reset email.
+   *
+   * @param email - Email address of the user requesting password reset
+   * @param callbackURL - URL where the user will be redirected to complete the reset
+   */
+  async requestPasswordReset(email, callbackURL) {
+    await this.client.requestPasswordReset({
+      email,
+      redirectTo: callbackURL
+    });
+  }
+  /**
+   * Completes the password reset process with a reset token and new password.
+   *
+   * @param token - The password reset token from the email
+   * @param password - The new password to set
+   */
+  async resetPassword(token, password) {
+    await this.client.resetPassword({
+      token,
+      newPassword: password
+    });
+  }
+}
+
+class AuthClient {
+  client;
+  /**
+   * Session management service for authentication operations
+   */
+  session;
+  /**
+   * Organization management service for multi-tenant operations
+   */
+  organization;
+  /**
+   * Creates a new AuthClient instance.
+   *
+   * @param apiUrl - The base URL of the authentication API
+   * @param headers - Custom headers to include in all API requests
+   */
+  constructor(apiUrl, headers) {
+    this.client = createAPIClient(apiUrl, headers);
+    this.session = new SessionService(this.client, apiUrl);
+    this.organization = new OrganizationService(this.client);
+  }
+}
+
+function isTokenExpired(token) {
+  const payload = JSON.parse(atob(token.split(".")[1] ?? ""));
+  return payload.exp && Date.now() / 1e3 > payload.exp;
+}
+async function validateToken(token, apiUrl) {
+  if (isTokenExpired(token)) {
+    return false;
+  }
+  try {
+    const JWKS = createRemoteJWKSet(
+      new URL(`${apiUrl}/api/auth/jwks`)
+    );
+    await jwtVerify(token, JWKS, {
+      issuer: apiUrl
+    });
+    return true;
+  } catch (error) {
+    return false;
+  }
+}
 
-export { Roles, ac, createAuthClient, isTokenExpired, rolesAccessControl, validateToken };
+export { AuthClient, Roles, ac, isTokenExpired, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meistrari/auth-core",
-  "version": "0.1.1",
+  "version": "1.1.0",
   "type": "module",
   "exports": {
     ".": {
@@ -17,9 +17,11 @@
     "build": "unbuild"
   },
   "dependencies": {
-    "@better-auth/sso": "1.3.28",
-    "better-auth": "1.3.28",
-    "jose": "6.1.0"
+    "@better-auth/sso": "1.4.1",
+    "better-auth": "1.4.1",
+    "jose": "6.1.0",
+    "nanostores": "1.0.1",
+    "@better-fetch/fetch": "1.1.18"
   },
   "devDependencies": {
     "@types/node": "latest",