@meistrari/auth-nuxt 1.0.5 → 1.1.0

package/README.md

@@ -99,7 +99,7 @@ await signInWithEmailAndPassword({
 ```typescript
 await signInWithSocialProvider({
     provider: 'google', // or 'microsoft'
-    callbackURL: '/dashboard',
+    callbackURL: '/',
     errorCallbackURL: '/login?error=true'
 })
 ```
@@ -108,7 +108,7 @@ await signInWithSocialProvider({
 ```typescript
 await signInWithSaml({
     email: 'user@example.com',
-    callbackURL: '/dashboard',
+    callbackURL: '/',
     errorCallbackURL: '/login?error=true'
 })
 ```

package/dist/module.d.mts

@@ -7,6 +7,16 @@ interface ModuleOptions {
     jwtCookieName: string;
     /** Skip default server middleware */
     skipServerMiddleware: boolean;
+    application?: {
+        /** Whether to enable application authentication */
+        enabled: boolean;
+        /** Auth Dashboard URL */
+        dashboardUrl: string;
+        /** The ID of the application to authenticate with */
+        applicationId: string;
+        /** The redirect URI to redirect to after authentication. Must be registered in the application's settings. */
+        redirectUri: string;
+    };
 }
 declare const _default: _nuxt_schema.NuxtModule<ModuleOptions, ModuleOptions, false>;
 

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "@meistrari/auth-nuxt",
   "configKey": "telaAuth",
-  "version": "1.0.5",
+  "version": "1.1.0",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/module.mjs

@@ -1,4 +1,4 @@
-import { defineNuxtModule, createResolver, addServerHandler, addImports, addPlugin } from '@nuxt/kit';
+import { defineNuxtModule, createResolver, addImports, addPlugin, addServerHandler } from '@nuxt/kit';
 
 const module$1 = defineNuxtModule({
   meta: {
@@ -12,6 +12,15 @@ const module$1 = defineNuxtModule({
   setup(options, nuxt) {
     const resolver = createResolver(import.meta.url);
     nuxt.options.runtimeConfig.public.telaAuth = options;
+    if (options.application?.enabled) {
+      addImports({
+        name: "useTelaApplicationAuth",
+        as: "useTelaApplicationAuth",
+        from: resolver.resolve("runtime/composables/application-auth")
+      });
+      addPlugin(resolver.resolve("./runtime/plugins/application-token-refresh"));
+      return;
+    }
     if (!options.skipServerMiddleware) {
       addServerHandler({
         route: "",
@@ -33,7 +42,7 @@ const module$1 = defineNuxtModule({
       as: "useTelaApiKey",
       from: resolver.resolve("runtime/composables/api-key")
     });
-    addPlugin(resolver.resolve("./runtime/plugin"));
+    addPlugin(resolver.resolve("./runtime/plugins/handshake"));
   }
 });
 

package/dist/runtime/composables/application-auth.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Composable for managing Tela application authentication with OAuth 2.0 PKCE flow
+ *
+ * Provides methods to:
+ * - Initiate OAuth login flow with PKCE
+ * - Exchange authorization codes for tokens
+ * - Automatically refresh access tokens
+ * - Manage user session state
+ * - Handle logout
+ *
+ * @returns An object containing authentication state and methods
+ * @throws {Error} If auth dashboard URL is not configured
+ *
+ * @example
+ * ```ts
+ * const auth = useTelaApplicationAuth()
+ *
+ * // Initiate login
+ * await auth.login({
+ *   applicationId: 'app-123',
+ *   redirectUri: 'https://example.com/callback'
+ * })
+ *
+ * // Initialize session (handles OAuth callback and token refresh)
+ * await auth.initSession()
+ *
+ * // Access user state
+ * console.log(auth.user.value)
+ * console.log(auth.activeOrganization.value)
+ *
+ * // Logout
+ * await auth.logout()
+ * ```
+ */
+export declare function useTelaApplicationAuth(): {
+    login: () => Promise<void>;
+    logout: () => Promise<void>;
+    initSession: () => Promise<void>;
+    user: import("vue").Ref<{
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+        twoFactorEnabled: boolean | null | undefined;
+        banned: boolean | null | undefined;
+        role?: string | null | undefined;
+        banReason?: string | null | undefined;
+        banExpires?: Date | null | undefined;
+        lastActiveAt?: Date | null | undefined;
+    } | null, {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+        twoFactorEnabled: boolean | null | undefined;
+        banned: boolean | null | undefined;
+        role?: string | null | undefined;
+        banReason?: string | null | undefined;
+        banExpires?: Date | null | undefined;
+        lastActiveAt?: Date | null | undefined;
+    } | null>;
+    activeOrganization: import("vue").Ref<Omit<import("@meistrari/auth-core").FullOrganization, "members" | "invitations" | "teams"> | null, Omit<import("@meistrari/auth-core").FullOrganization, "members" | "invitations" | "teams"> | null>;
+};

package/dist/runtime/composables/application-auth.js

@@ -0,0 +1,171 @@
+import { navigateTo, useCookie, useRoute, useRuntimeConfig } from "#app";
+import { createNuxtAuthClient } from "../shared.js";
+import { useApplicationSessionState } from "./state.js";
+import { AuthorizationFlowError, isTokenExpired, RefreshTokenExpiredError } from "@meistrari/auth-core";
+const SEVEN_DAYS = 60 * 60 * 24 * 7;
+const FIFTEEN_MINUTES = 60 * 15;
+const ONE_MINUTE = 60 * 1e3;
+function verifier(stateKey) {
+  return `code_verifier_${stateKey}`;
+}
+function hexEncode(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function generateStateKey(query) {
+  if (query.state && typeof query.state === "string") {
+    return query.state;
+  }
+  const array = new Uint8Array(8);
+  crypto.getRandomValues(array);
+  return hexEncode(array);
+}
+function generateCodeVerifier() {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  return base64UrlEncode(array);
+}
+async function generateCodeChallenge(verifier2) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier2);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+function base64UrlEncode(bytes) {
+  return btoa(String.fromCharCode(...bytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function mapOrganization(organization) {
+  return {
+    name: organization.title,
+    id: organization.id,
+    createdAt: organization.createdAt,
+    logo: organization.avatarUrl,
+    metadata: organization.metadata,
+    slug: organization.slug ?? ""
+  };
+}
+export function useTelaApplicationAuth() {
+  const appConfig = useRuntimeConfig().public.telaAuth;
+  const query = useRoute().query;
+  const accessTokenCookie = useCookie("tela-access-token", {
+    secure: true,
+    sameSite: "lax",
+    maxAge: FIFTEEN_MINUTES
+  });
+  const refreshTokenCookie = useCookie("tela-refresh-token", {
+    secure: true,
+    sameSite: "lax",
+    maxAge: SEVEN_DAYS
+  });
+  const authClient = createNuxtAuthClient(appConfig.apiUrl, () => null, () => refreshTokenCookie.value ?? null);
+  const state = useApplicationSessionState();
+  if (!appConfig.application?.dashboardUrl) {
+    throw new Error(
+      "[Tela Auth SDK] Auth dashboard URL is not configured, but it is required to use application authentication."
+    );
+  }
+  if (!appConfig.application?.applicationId) {
+    throw new Error(
+      "[Tela Auth SDK] Application ID is not configured, but it is required to use application authentication."
+    );
+  }
+  if (!appConfig.application?.redirectUri) {
+    throw new Error(
+      "[Tela Auth SDK] Redirect URI is not configured, but it is required to use application authentication."
+    );
+  }
+  const { applicationId, redirectUri } = appConfig.application;
+  async function login() {
+    if (import.meta.server) {
+      throw new AuthorizationFlowError("The login function can only be called on the client side.");
+    }
+    if (typeof localStorage === "undefined") {
+      throw new AuthorizationFlowError("localStorage is not available. The login function must be called on the client side.");
+    }
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = await generateCodeChallenge(codeVerifier);
+    const stateKey = generateStateKey(query);
+    localStorage.setItem(verifier(stateKey), codeVerifier);
+    const url = new URL("/applications/login", appConfig.application?.dashboardUrl);
+    url.searchParams.set("application_id", applicationId);
+    url.searchParams.set("code_challenge", codeChallenge);
+    url.searchParams.set("redirect_uri", redirectUri);
+    url.searchParams.set("state", stateKey);
+    navigateTo(url.toString(), { external: true });
+  }
+  async function logout() {
+    accessTokenCookie.value = null;
+    refreshTokenCookie.value = null;
+    state.user.value = null;
+    state.activeOrganization.value = null;
+    if (typeof localStorage !== "undefined") {
+      for (const key in localStorage) {
+        if (key.startsWith("code_verifier_")) {
+          localStorage.removeItem(key);
+        }
+      }
+    }
+  }
+  async function exchangeCodeForToken() {
+    if (import.meta.server) {
+      throw new AuthorizationFlowError("The exchangeCodeForToken function can only be called on the client side.");
+    }
+    const code = query.code;
+    const stateKey = query.state;
+    if (!code) {
+      throw new AuthorizationFlowError("Authorization code not found in query parameters");
+    }
+    if (!stateKey) {
+      throw new AuthorizationFlowError("State parameter not found in query parameters");
+    }
+    if (typeof localStorage === "undefined") {
+      throw new AuthorizationFlowError("localStorage is not available");
+    }
+    const codeVerifierKey = verifier(stateKey);
+    const codeVerifier = localStorage.getItem(codeVerifierKey);
+    if (!codeVerifier) {
+      throw new AuthorizationFlowError("Code verifier not found. This may indicate a CSRF attack or expired session.");
+    }
+    try {
+      const { accessToken, refreshToken: refreshToken2, user, organization } = await authClient.application.completeAuthorizationFlow(code, codeVerifier);
+      accessTokenCookie.value = accessToken;
+      refreshTokenCookie.value = refreshToken2;
+      state.user.value = user;
+      state.activeOrganization.value = mapOrganization(organization);
+    } finally {
+      localStorage.removeItem(codeVerifierKey);
+    }
+  }
+  async function refreshToken() {
+    if (!refreshTokenCookie.value) {
+      throw new RefreshTokenExpiredError();
+    }
+    const { accessToken, refreshToken: refreshToken2, user, organization } = await authClient.application.refreshAccessToken();
+    accessTokenCookie.value = accessToken;
+    refreshTokenCookie.value = refreshToken2;
+    state.user.value = user;
+    state.activeOrganization.value = mapOrganization(organization);
+  }
+  async function initSession() {
+    const code = query.code;
+    if (code) {
+      await exchangeCodeForToken();
+    }
+    if (!accessTokenCookie.value && !refreshTokenCookie.value) {
+      throw new RefreshTokenExpiredError();
+    }
+    const isExpiredOrClose = accessTokenCookie.value ? isTokenExpired(accessTokenCookie.value, ONE_MINUTE) : true;
+    if (isExpiredOrClose && !refreshTokenCookie.value) {
+      await logout();
+      throw new RefreshTokenExpiredError();
+    }
+    if (isExpiredOrClose && refreshTokenCookie.value) {
+      await refreshToken();
+    }
+  }
+  return {
+    ...state,
+    login,
+    logout,
+    initSession
+  };
+}

package/dist/runtime/composables/organization.d.ts

@@ -1,16 +1,15 @@
 import type { Ref } from 'vue';
 import type { CreateTeamPayload, FullOrganization, Invitation, InviteUserToOrganizationOptions, ListMembersOptions, Member, RemoveUserFromOrganizationOptions, Team, TeamMember, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload } from '@meistrari/auth-core';
-import type { FullOrganizationWithRelations } from './state.js';
 export interface UseTelaOrganizationReturn {
     /** Reactive reference to the active organization with members, invitations, and teams. */
-    activeOrganization: Ref<FullOrganizationWithRelations | null>;
+    activeOrganization: Ref<FullOrganization | null>;
     /** Reactive reference to the current user's membership in the active organization. */
     activeMember: Ref<Member | null>;
     /**
      * Retrieves the active organization for the current user session and updates the active organization state.
      * @returns The active organization with members, invitations, and teams
      */
-    getActiveOrganization: () => Promise<FullOrganizationWithRelations | undefined>;
+    getActiveOrganization: () => Promise<FullOrganization | undefined>;
     /**
      * Lists all organizations for the current user session.
      * @returns A list of organizations

package/dist/runtime/composables/organization.js

@@ -10,14 +10,7 @@ export function useTelaOrganization() {
     if (!session.value?.activeOrganizationId) {
       return;
     }
-    const organization = await authClient.organization.getOrganization(
-      session.value?.activeOrganizationId,
-      {
-        includeMembers: true,
-        includeInvitations: true,
-        includeTeams: true
-      }
-    );
+    const organization = await authClient.organization.getOrganization(session.value?.activeOrganizationId);
     activeOrganization.value = organization;
     return organization;
   }
@@ -27,11 +20,7 @@ export function useTelaOrganization() {
   async function setActiveOrganization(id) {
     await authClient.organization.setActiveOrganization(id);
     const [organization, { token }] = await Promise.all([
-      authClient.organization.getOrganization(id, {
-        includeMembers: true,
-        includeInvitations: true,
-        includeTeams: true
-      }),
+      authClient.organization.getOrganization(id),
       authClient.session.getToken()
     ]);
     useCookie(jwtCookieName).value = token;

package/dist/runtime/composables/state.d.ts

@@ -1,9 +1,4 @@
-import type { FullOrganization, Invitation, Member, Team } from '@meistrari/auth-core';
-export type FullOrganizationWithRelations = FullOrganization & {
-    members: Member[];
-    invitations: Invitation[];
-    teams: Team[];
-};
+import type { FullOrganization, Member } from '@meistrari/auth-core';
 /**
  * Shared state for session management.
  * This module provides access to session-related state without creating circular dependencies.
@@ -69,6 +64,38 @@ export declare function useSessionState(): {
  * This module provides access to organization-related state without creating circular dependencies.
  */
 export declare function useOrganizationState(): {
-    activeOrganization: import("vue").Ref<FullOrganizationWithRelations | null, FullOrganizationWithRelations | null>;
+    activeOrganization: import("vue").Ref<FullOrganization | null, FullOrganization | null>;
     activeMember: import("vue").Ref<Member | null, Member | null>;
 };
+export declare function useApplicationSessionState(): {
+    user: import("vue").Ref<{
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+        twoFactorEnabled: boolean | null | undefined;
+        banned: boolean | null | undefined;
+        role?: string | null | undefined;
+        banReason?: string | null | undefined;
+        banExpires?: Date | null | undefined;
+        lastActiveAt?: Date | null | undefined;
+    } | null, {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+        twoFactorEnabled: boolean | null | undefined;
+        banned: boolean | null | undefined;
+        role?: string | null | undefined;
+        banReason?: string | null | undefined;
+        banExpires?: Date | null | undefined;
+        lastActiveAt?: Date | null | undefined;
+    } | null>;
+    activeOrganization: import("vue").Ref<Omit<FullOrganization, "members" | "invitations" | "teams"> | null, Omit<FullOrganization, "members" | "invitations" | "teams"> | null>;
+};

package/dist/runtime/composables/state.js

@@ -15,3 +15,11 @@ export function useOrganizationState() {
     activeMember
   };
 }
+export function useApplicationSessionState() {
+  const user = useState("user", () => null);
+  const activeOrganization = useState("activeOrganization", () => null);
+  return {
+    user,
+    activeOrganization
+  };
+}

package/dist/runtime/plugins/application-token-refresh.js

@@ -0,0 +1,134 @@
+import { defineNuxtPlugin, useCookie, useRuntimeConfig } from "#app";
+import { isTokenExpired } from "@meistrari/auth-core";
+import { useApplicationSessionState } from "../composables/state.js";
+import { createNuxtAuthClient } from "../shared.js";
+import { watch } from "vue";
+const SEVEN_DAYS = 60 * 60 * 24 * 7;
+const FIFTEEN_MINUTES = 60 * 15;
+const TWO_MINUTES = 2 * 60 * 1e3;
+function parseTokenExpiry(token) {
+  try {
+    const tokenParts = token.split(".");
+    const payloadPart = tokenParts[1];
+    if (!payloadPart) return null;
+    const payload = JSON.parse(atob(payloadPart));
+    if (!payload.exp) return null;
+    return payload.exp * 1e3;
+  } catch {
+    return null;
+  }
+}
+function mapOrganization(organization) {
+  return {
+    name: organization.title,
+    id: organization.id,
+    createdAt: organization.createdAt,
+    logo: organization.avatarUrl,
+    metadata: organization.metadata,
+    slug: organization.slug ?? ""
+  };
+}
+export default defineNuxtPlugin({
+  name: "tela-application-token-refresh",
+  enforce: "post",
+  env: {
+    islands: false
+  },
+  async setup() {
+    const appConfig = useRuntimeConfig().public.telaAuth;
+    const state = useApplicationSessionState();
+    const accessTokenCookie = useCookie("tela-access-token", {
+      secure: true,
+      sameSite: "lax",
+      maxAge: FIFTEEN_MINUTES
+    });
+    const refreshTokenCookie = useCookie("tela-refresh-token", {
+      secure: true,
+      sameSite: "lax",
+      maxAge: SEVEN_DAYS
+    });
+    const authClient = createNuxtAuthClient(appConfig.apiUrl, () => null, () => refreshTokenCookie.value ?? null);
+    let tokenRefreshInterval = null;
+    let isRefreshing = false;
+    let retryCount = 0;
+    const MAX_RETRIES = 3;
+    async function refreshToken() {
+      if (isRefreshing) {
+        return;
+      }
+      isRefreshing = true;
+      try {
+        const { accessToken, refreshToken: refreshToken2, user, organization } = await authClient.application.refreshAccessToken();
+        accessTokenCookie.value = accessToken;
+        refreshTokenCookie.value = refreshToken2;
+        state.user.value = user;
+        state.activeOrganization.value = mapOrganization(organization);
+      } finally {
+        isRefreshing = false;
+      }
+    }
+    function logout() {
+      accessTokenCookie.value = null;
+      refreshTokenCookie.value = null;
+      state.user.value = null;
+      state.activeOrganization.value = null;
+    }
+    async function scheduleTokenRefresh() {
+      if (tokenRefreshInterval) {
+        clearTimeout(tokenRefreshInterval);
+        tokenRefreshInterval = null;
+      }
+      if (!accessTokenCookie.value) {
+        return;
+      }
+      if (isTokenExpired(accessTokenCookie.value, TWO_MINUTES)) {
+        await refreshToken();
+      }
+      const expiry = parseTokenExpiry(accessTokenCookie.value);
+      if (!expiry) {
+        return;
+      }
+      const nextRefresh = Math.max(expiry - TWO_MINUTES - Date.now(), 0);
+      tokenRefreshInterval = window.setTimeout(refreshToken, nextRefresh);
+    }
+    if (import.meta.server) {
+      if (accessTokenCookie.value) {
+        try {
+          const data = await authClient.application.whoAmI(accessTokenCookie.value);
+          state.user.value = data.user;
+          state.activeOrganization.value = mapOrganization(data.organization);
+        } catch (error) {
+          console.error(`[Tela Auth SDK] Failed to get user and organization:`, error.message);
+          if (!refreshTokenCookie.value) {
+            console.error(`[Tela Auth SDK] Missing refresh token, logging out...`);
+            logout();
+            return;
+          }
+          const refreshTokenValue = refreshTokenCookie.value;
+          try {
+            await refreshToken();
+          } catch (error2) {
+            console.error(`[Tela Auth SDK] Failed to refresh token ${refreshTokenValue}...:`, error2.message);
+            logout();
+          }
+        }
+      }
+      if (!accessTokenCookie.value && refreshTokenCookie.value) {
+        try {
+          await refreshToken();
+        } catch (error) {
+          console.error(`[Tela Auth SDK] Failed to refresh token ${refreshTokenCookie.value}...:`, error.message);
+          logout();
+        }
+      }
+      return;
+    }
+    if (import.meta.client) {
+      watch(refreshTokenCookie, async (newVal) => {
+        if (newVal) {
+          await scheduleTokenRefresh();
+        }
+      }, { immediate: true });
+    }
+  }
+});

package/dist/runtime/plugins/handshake.d.ts

@@ -0,0 +1,2 @@
+declare const _default: import("#app").Plugin<Record<string, unknown>> & import("#app").ObjectPlugin<Record<string, unknown>>;
+export default _default;

package/dist/runtime/{plugin.js → plugins/handshake.js}

@@ -1,10 +1,10 @@
 import { defineNuxtPlugin, useCookie, useRuntimeConfig, useRequestURL } from "#app";
 import { watch } from "vue";
-import { useTelaSession } from "./composables/session.js";
-import { createNuxtAuthClient } from "./shared.js";
+import { useTelaSession } from "../composables/session.js";
+import { createNuxtAuthClient } from "../shared.js";
 import { useRoute, navigateTo } from "#imports";
 export default defineNuxtPlugin({
-  name: "tela-auth",
+  name: "tela-auth-handshake",
   enforce: "pre",
   env: {
     islands: false

package/dist/runtime/shared.d.ts

@@ -1,2 +1,2 @@
 import { AuthClient } from '@meistrari/auth-core';
-export declare function createNuxtAuthClient(apiUrl: string, getAuthToken: () => string | null): AuthClient;
+export declare function createNuxtAuthClient(apiUrl: string, getAuthToken: () => string | null, getRefreshToken?: () => string | null): AuthClient;

package/dist/runtime/shared.js

@@ -1,6 +1,6 @@
 import { AuthClient } from "@meistrari/auth-core";
 import { version } from "../../package.json";
-export function createNuxtAuthClient(apiUrl, getAuthToken) {
+export function createNuxtAuthClient(apiUrl, getAuthToken, getRefreshToken = () => null) {
   const serviceName = typeof process !== "undefined" ? process.env.SERVICE_NAME : "";
   const userAgent = `auth-sdk:nuxt:${version}${serviceName ? `@${serviceName}` : ""}`;
   return new AuthClient(apiUrl, {
@@ -14,6 +14,15 @@ export function createNuxtAuthClient(apiUrl, getAuthToken) {
       if (token && !isTokenRequest) {
         context.headers.set("Authorization", `Bearer ${token}`);
       }
+      const isRefreshTokenRequest = requestUrl.pathname.endsWith("/api/auth/applications/token/refresh");
+      if (isRefreshTokenRequest) {
+        const refreshToken = getRefreshToken();
+        if (refreshToken) {
+          const cookie = context.headers.get("Cookie");
+          const newCookie = cookie ? `${cookie}; tela-refresh-token=${refreshToken}` : `tela-refresh-token=${refreshToken}`;
+          context.headers.set("Cookie", newCookie);
+        }
+      }
     }
   });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meistrari/auth-nuxt",
-  "version": "1.0.5",
+  "version": "1.1.0",
   "type": "module",
   "exports": {
     ".": {
@@ -31,7 +31,7 @@
     "build": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxt-module-build build"
   },
   "dependencies": {
-    "@meistrari/auth-core": "1.5.1"
+    "@meistrari/auth-core": "1.6.0"
   },
   "peerDependencies": {
     "nuxt": "^3.0.0 || ^4.0.0"