@meistrari/auth-core 1.13.3 → 1.15.0

package/dist/index.d.mts

@@ -3324,6 +3324,61 @@ declare function createAPIClient(apiUrl: string, fetchOptions?: BetterFetchOptio
             data: StartAuthorizationFlowResponse;
             error: null;
         }>;
+        startDeviceAuthorizationFlow: (requesterApplicationId: string, targetApplicationId: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: DeviceAuthorizationResponse;
+            error: null;
+        }>;
+        getDeviceAuthorizationContext: (userCode: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: DeviceAuthorizationContextResponse;
+            error: null;
+        }>;
+        approveDeviceAuthorizationFlow: (userCode: string, organizationId: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: DeviceAuthorizationActionResponse;
+            error: null;
+        }>;
+        denyDeviceAuthorizationFlow: (userCode: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: DeviceAuthorizationActionResponse;
+            error: null;
+        }>;
+        exchangeDeviceCodeForTokens: (deviceCode: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: CompleteAuthorizationFlowResponse;
+            error: null;
+        }>;
         completeAuthorizationFlow: (code: string, codeVerifier: string) => Promise<{
             data: null;
             error: {
@@ -4360,6 +4415,32 @@ type WhoAmIResponse = {
     user: User;
     organization: FullOrganization;
 };
+type DeviceAuthorizationResponse = {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    verification_uri_complete: string;
+    expires_in: number;
+    interval: number;
+};
+type DeviceContextApplication = {
+    id: string;
+    name: string;
+    description: string | null;
+};
+type DeviceAuthorizationContextResponse = {
+    requester: DeviceContextApplication & {
+        isVerified: boolean;
+    };
+    target: DeviceContextApplication;
+    organizations: FullOrganization[];
+    preselectedOrganizationId: string | null;
+    status: 'pending' | 'approved' | 'denied';
+    expiresIn: number;
+};
+type DeviceAuthorizationActionResponse = {
+    success: boolean;
+};
 
 declare class BaseError extends Error {
     code: string;
@@ -4378,6 +4459,21 @@ declare class AuthorizationFlowError extends ApplicationError {
 declare class UserNotLoggedInError extends ApplicationError {
     constructor(message: string, options?: ErrorOptions);
 }
+declare class DeviceAuthorizationPendingError extends ApplicationError {
+    constructor(options?: ErrorOptions);
+}
+declare class DeviceAuthorizationSlowDownError extends ApplicationError {
+    constructor(options?: ErrorOptions);
+}
+declare class DeviceAccessDeniedError extends ApplicationError {
+    constructor(options?: ErrorOptions);
+}
+declare class DeviceCodeExpiredError extends ApplicationError {
+    constructor(options?: ErrorOptions);
+}
+declare class DeviceTransientServerError extends ApplicationError {
+    constructor(options?: ErrorOptions);
+}
 
 /**
  * Service for managing applications and their candidate organizations.
@@ -4418,6 +4514,11 @@ declare class ApplicationService {
      * @param organizationId - The organization ID to start the authorization flow for
      */
     startAuthorizationFlow(applicationId: string, redirectUri: string, codeChallenge: string, organizationId: string): Promise<StartAuthorizationFlowResponse>;
+    startDeviceAuthorizationFlow(requesterApplicationId: string, targetApplicationId: string): Promise<DeviceAuthorizationResponse>;
+    getDeviceAuthorizationContext(userCode: string): Promise<DeviceAuthorizationContextResponse>;
+    approveDeviceAuthorizationFlow(userCode: string, organizationId: string): Promise<DeviceAuthorizationActionResponse>;
+    denyDeviceAuthorizationFlow(userCode: string): Promise<DeviceAuthorizationActionResponse>;
+    exchangeDeviceCodeForTokens(deviceCode: string): Promise<CompleteAuthorizationFlowResponse>;
     /**
      * Completes an authorization flow for a specific application.
      *
@@ -4432,7 +4533,7 @@ declare class ApplicationService {
      * @throws {RefreshTokenExpiredError} When the refresh token has expired or is invalid
      * @throws {ApplicationError} For other API errors
      */
-    refreshAccessToken(refreshToken: string): Promise<CompleteAuthorizationFlowResponse>;
+    refreshAccessToken(refreshToken: string): Promise<CompleteAuthorizationFlowResponse | null | undefined>;
     /**
      * Gets the current user and organization for a specific application.
      *
@@ -5083,5 +5184,5 @@ declare function validateToken(token: string, apiUrl: string): Promise<boolean>;
  */
 declare function extractTokenPayload(token: string): JWTPayload;
 
-export { ApplicationError, AuthClient, AuthorizationFlowError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, createAPIClient, extractTokenPayload, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
-export type { APIClient, ApiKey, ApiKeyMetadata, ApiKeyWithoutSecret, Application, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateTeamPayload, FullOrganization, Invitation, InviteUserToOrganizationOptions, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIResponse };
+export { ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, createAPIClient, extractTokenPayload, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
+export type { APIClient, ApiKey, ApiKeyMetadata, ApiKeyWithoutSecret, Application, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateTeamPayload, DeviceAuthorizationActionResponse, DeviceAuthorizationContextResponse, DeviceAuthorizationResponse, FullOrganization, Invitation, InviteUserToOrganizationOptions, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIResponse };

package/dist/index.d.ts

@@ -3324,6 +3324,61 @@ declare function createAPIClient(apiUrl: string, fetchOptions?: BetterFetchOptio
             data: StartAuthorizationFlowResponse;
             error: null;
         }>;
+        startDeviceAuthorizationFlow: (requesterApplicationId: string, targetApplicationId: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: DeviceAuthorizationResponse;
+            error: null;
+        }>;
+        getDeviceAuthorizationContext: (userCode: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: DeviceAuthorizationContextResponse;
+            error: null;
+        }>;
+        approveDeviceAuthorizationFlow: (userCode: string, organizationId: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: DeviceAuthorizationActionResponse;
+            error: null;
+        }>;
+        denyDeviceAuthorizationFlow: (userCode: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: DeviceAuthorizationActionResponse;
+            error: null;
+        }>;
+        exchangeDeviceCodeForTokens: (deviceCode: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: CompleteAuthorizationFlowResponse;
+            error: null;
+        }>;
         completeAuthorizationFlow: (code: string, codeVerifier: string) => Promise<{
             data: null;
             error: {
@@ -4360,6 +4415,32 @@ type WhoAmIResponse = {
     user: User;
     organization: FullOrganization;
 };
+type DeviceAuthorizationResponse = {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    verification_uri_complete: string;
+    expires_in: number;
+    interval: number;
+};
+type DeviceContextApplication = {
+    id: string;
+    name: string;
+    description: string | null;
+};
+type DeviceAuthorizationContextResponse = {
+    requester: DeviceContextApplication & {
+        isVerified: boolean;
+    };
+    target: DeviceContextApplication;
+    organizations: FullOrganization[];
+    preselectedOrganizationId: string | null;
+    status: 'pending' | 'approved' | 'denied';
+    expiresIn: number;
+};
+type DeviceAuthorizationActionResponse = {
+    success: boolean;
+};
 
 declare class BaseError extends Error {
     code: string;
@@ -4378,6 +4459,21 @@ declare class AuthorizationFlowError extends ApplicationError {
 declare class UserNotLoggedInError extends ApplicationError {
     constructor(message: string, options?: ErrorOptions);
 }
+declare class DeviceAuthorizationPendingError extends ApplicationError {
+    constructor(options?: ErrorOptions);
+}
+declare class DeviceAuthorizationSlowDownError extends ApplicationError {
+    constructor(options?: ErrorOptions);
+}
+declare class DeviceAccessDeniedError extends ApplicationError {
+    constructor(options?: ErrorOptions);
+}
+declare class DeviceCodeExpiredError extends ApplicationError {
+    constructor(options?: ErrorOptions);
+}
+declare class DeviceTransientServerError extends ApplicationError {
+    constructor(options?: ErrorOptions);
+}
 
 /**
  * Service for managing applications and their candidate organizations.
@@ -4418,6 +4514,11 @@ declare class ApplicationService {
      * @param organizationId - The organization ID to start the authorization flow for
      */
     startAuthorizationFlow(applicationId: string, redirectUri: string, codeChallenge: string, organizationId: string): Promise<StartAuthorizationFlowResponse>;
+    startDeviceAuthorizationFlow(requesterApplicationId: string, targetApplicationId: string): Promise<DeviceAuthorizationResponse>;
+    getDeviceAuthorizationContext(userCode: string): Promise<DeviceAuthorizationContextResponse>;
+    approveDeviceAuthorizationFlow(userCode: string, organizationId: string): Promise<DeviceAuthorizationActionResponse>;
+    denyDeviceAuthorizationFlow(userCode: string): Promise<DeviceAuthorizationActionResponse>;
+    exchangeDeviceCodeForTokens(deviceCode: string): Promise<CompleteAuthorizationFlowResponse>;
     /**
      * Completes an authorization flow for a specific application.
      *
@@ -4432,7 +4533,7 @@ declare class ApplicationService {
      * @throws {RefreshTokenExpiredError} When the refresh token has expired or is invalid
      * @throws {ApplicationError} For other API errors
      */
-    refreshAccessToken(refreshToken: string): Promise<CompleteAuthorizationFlowResponse>;
+    refreshAccessToken(refreshToken: string): Promise<CompleteAuthorizationFlowResponse | null | undefined>;
     /**
      * Gets the current user and organization for a specific application.
      *
@@ -5083,5 +5184,5 @@ declare function validateToken(token: string, apiUrl: string): Promise<boolean>;
  */
 declare function extractTokenPayload(token: string): JWTPayload;
 
-export { ApplicationError, AuthClient, AuthorizationFlowError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, createAPIClient, extractTokenPayload, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
-export type { APIClient, ApiKey, ApiKeyMetadata, ApiKeyWithoutSecret, Application, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateTeamPayload, FullOrganization, Invitation, InviteUserToOrganizationOptions, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIResponse };
+export { ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, createAPIClient, extractTokenPayload, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
+export type { APIClient, ApiKey, ApiKeyMetadata, ApiKeyWithoutSecret, Application, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateTeamPayload, DeviceAuthorizationActionResponse, DeviceAuthorizationContextResponse, DeviceAuthorizationResponse, FullOrganization, Invitation, InviteUserToOrganizationOptions, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIResponse };

package/dist/index.mjs

@@ -8,7 +8,7 @@ import { defaultStatements } from 'better-auth/plugins/organization/access';
 import { z } from 'zod';
 export { APIError } from 'better-auth';
 
-const version = "1.13.3";
+const version = "1.15.0";
 
 const statements = {
   ...defaultStatements,
@@ -78,6 +78,7 @@ const JWTPayload = z.object({
   sessionKey: z.string()
 });
 
+const DEVICE_CODE_GRANT = "urn:ietf:params:oauth:grant-type:device_code";
 function applicationsPluginClient() {
   return {
     id: "applications",
@@ -110,6 +111,49 @@ function applicationsPluginClient() {
               }
             });
           },
+          startDeviceAuthorizationFlow: async (requesterApplicationId, targetApplicationId) => {
+            return await $fetch("/applications/device/authorize", {
+              method: "POST",
+              body: {
+                requesterApplicationId,
+                targetApplicationId
+              }
+            });
+          },
+          getDeviceAuthorizationContext: async (userCode) => {
+            return await $fetch("/applications/device/context", {
+              method: "GET",
+              query: {
+                userCode
+              }
+            });
+          },
+          approveDeviceAuthorizationFlow: async (userCode, organizationId) => {
+            return await $fetch("/applications/device/approve", {
+              method: "POST",
+              body: {
+                userCode,
+                organizationId
+              }
+            });
+          },
+          denyDeviceAuthorizationFlow: async (userCode) => {
+            return await $fetch("/applications/device/deny", {
+              method: "POST",
+              body: {
+                userCode
+              }
+            });
+          },
+          exchangeDeviceCodeForTokens: async (deviceCode) => {
+            return await $fetch("/applications/token", {
+              method: "POST",
+              body: {
+                grantType: DEVICE_CODE_GRANT,
+                deviceCode
+              }
+            });
+          },
           completeAuthorizationFlow: async (code, codeVerifier) => {
             return await $fetch("/applications/token", {
               method: "POST",
@@ -241,7 +285,70 @@ class UserNotLoggedInError extends ApplicationError {
     this.code = "USER_NOT_LOGGED_IN";
   }
 }
+class DeviceAuthorizationPendingError extends ApplicationError {
+  constructor(options) {
+    super("Authorization is still pending", options);
+    this.code = "AUTHORIZATION_PENDING";
+  }
+}
+class DeviceAuthorizationSlowDownError extends ApplicationError {
+  constructor(options) {
+    super("Polling too frequently. Slow down and retry later.", options);
+    this.code = "SLOW_DOWN";
+  }
+}
+class DeviceAccessDeniedError extends ApplicationError {
+  constructor(options) {
+    super("The user denied the device authorization request", options);
+    this.code = "ACCESS_DENIED";
+  }
+}
+class DeviceCodeExpiredError extends ApplicationError {
+  constructor(options) {
+    super("The device code expired or has already been consumed", options);
+    this.code = "EXPIRED_TOKEN";
+  }
+}
+class DeviceTransientServerError extends ApplicationError {
+  constructor(options) {
+    super("The authorization server returned a transient error. The exchange can be safely retried.", options);
+    this.code = "TRANSIENT_SERVER_ERROR";
+  }
+}
 
+function parseErrorCode(error) {
+  if (!error || typeof error !== "object") {
+    return null;
+  }
+  const candidateError = error;
+  return candidateError.code ?? candidateError.error?.code ?? null;
+}
+function parseErrorMessage(error) {
+  if (!error || typeof error !== "object") {
+    return "Failed to exchange device code for tokens";
+  }
+  const candidateError = error;
+  return candidateError.message ?? candidateError.error?.message ?? "Failed to exchange device code for tokens";
+}
+function throwDeviceGrantError(error) {
+  const code = parseErrorCode(error);
+  if (code === "authorization_pending") {
+    throw new DeviceAuthorizationPendingError({ cause: error });
+  }
+  if (code === "slow_down") {
+    throw new DeviceAuthorizationSlowDownError({ cause: error });
+  }
+  if (code === "access_denied") {
+    throw new DeviceAccessDeniedError({ cause: error });
+  }
+  if (code === "expired_token") {
+    throw new DeviceCodeExpiredError({ cause: error });
+  }
+  if (code === "temporarily_unavailable") {
+    throw new DeviceTransientServerError({ cause: error });
+  }
+  throw new ApplicationError(parseErrorMessage(error), { cause: error });
+}
 class ApplicationService {
   /**
    * Creates a new ApplicationService instance.
@@ -282,6 +389,47 @@ class ApplicationService {
     }
     return response.data;
   }
+  async startDeviceAuthorizationFlow(requesterApplicationId, targetApplicationId) {
+    const response = await this.client.applications.startDeviceAuthorizationFlow(requesterApplicationId, targetApplicationId);
+    if (!response.data) {
+      throw new Error("No data returned from the API", { cause: response.error });
+    }
+    return response.data;
+  }
+  async getDeviceAuthorizationContext(userCode) {
+    const response = await this.client.applications.getDeviceAuthorizationContext(userCode);
+    if (!response.data) {
+      throw new Error("No data returned from the API", { cause: response.error });
+    }
+    return response.data;
+  }
+  async approveDeviceAuthorizationFlow(userCode, organizationId) {
+    const response = await this.client.applications.approveDeviceAuthorizationFlow(userCode, organizationId);
+    if (!response.data) {
+      throw new Error("No data returned from the API", { cause: response.error });
+    }
+    return response.data;
+  }
+  async denyDeviceAuthorizationFlow(userCode) {
+    const response = await this.client.applications.denyDeviceAuthorizationFlow(userCode);
+    if (!response.data) {
+      throw new Error("No data returned from the API", { cause: response.error });
+    }
+    return response.data;
+  }
+  async exchangeDeviceCodeForTokens(deviceCode) {
+    try {
+      const response = await this.client.applications.exchangeDeviceCodeForTokens(deviceCode);
+      if (!response.data) {
+        throwDeviceGrantError(response.error);
+      }
+      return response.data;
+    } catch (error) {
+      if (error instanceof ApplicationError)
+        throw error;
+      throwDeviceGrantError(error);
+    }
+  }
   /**
    * Completes an authorization flow for a specific application.
    *
@@ -303,16 +451,25 @@ class ApplicationService {
    * @throws {ApplicationError} For other API errors
    */
   async refreshAccessToken(refreshToken) {
-    const response = await this.client.applications.refreshAccessToken(refreshToken);
-    if (!response.data) {
-      const error = response.error;
+    const handleRefreshError = (error) => {
       const status = error?.status;
       if (status === 404) {
         throw new RefreshTokenExpiredError({ cause: error });
       }
-      throw new ApplicationError(error?.message || "Failed to refresh access token", { cause: error });
+      const message = error?.message;
+      throw new ApplicationError(message || "Failed to refresh access token", { cause: error });
+    };
+    try {
+      const response = await this.client.applications.refreshAccessToken(refreshToken);
+      if (!response.data) {
+        handleRefreshError(response.error);
+      }
+      return response.data;
+    } catch (error) {
+      if (error instanceof ApplicationError)
+        throw error;
+      handleRefreshError(error);
     }
-    return response.data;
   }
   /**
    * Gets the current user and organization for a specific application.
@@ -877,4 +1034,4 @@ function extractTokenPayload(token) {
   return payload;
 }
 
-export { ApplicationError, AuthClient, AuthorizationFlowError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, extractTokenPayload, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
+export { ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, extractTokenPayload, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meistrari/auth-core",
-  "version": "1.13.3",
+  "version": "1.15.0",
   "type": "module",
   "exports": {
     ".": {