@meistrari/auth-nuxt 2.1.3 → 2.2.0

package/dist/runtime/plugins/auth-guard.js

@@ -5,14 +5,14 @@ export default defineNuxtPlugin(() => {
   const authConfig = config.public.telaAuth;
   const loginPath = authConfig.application?.loginPath ?? "/login";
   const unauthorizedPath = authConfig.application?.unauthorizedPath ?? "/unauthorized";
-  addRouteMiddleware("auth-guard", (to) => {
+  addRouteMiddleware("auth-guard", async (to) => {
     const authMeta = to.meta?.auth;
     if (!authMeta || authMeta.required !== true) {
       return;
     }
     const token = useCookie("tela-access-token");
     if (!token.value) {
-      return navigateTo({
+      return await navigateTo({
         path: loginPath,
         query: { redirect: to.fullPath }
       });
@@ -22,14 +22,14 @@ export default defineNuxtPlugin(() => {
         const payload = decodeJwt(token.value);
         const userRole = payload.user?.role;
         if (!userRole || !authMeta.roles.includes(userRole)) {
-          return navigateTo({
+          return await navigateTo({
             path: unauthorizedPath,
             query: { redirect: to.fullPath }
           });
         }
       } catch (error) {
         console.error("Failed to decode token:", error);
-        return navigateTo({
+        return await navigateTo({
           path: loginPath,
           query: { redirect: to.fullPath }
         });

package/dist/runtime/plugins/handshake.js

@@ -1,8 +1,8 @@
-import { defineNuxtPlugin, useCookie, useRuntimeConfig, useRequestURL } from "#app";
+import { defineNuxtPlugin, useCookie, useRequestURL, useRuntimeConfig } from "#app";
+import { navigateTo, useRoute } from "#imports";
 import { watch } from "vue";
 import { useTelaSession } from "../composables/session.js";
 import { createNuxtAuthClient } from "../shared.js";
-import { useRoute, navigateTo } from "#imports";
 export default defineNuxtPlugin({
   name: "tela-auth-handshake",
   enforce: "pre",
@@ -71,9 +71,9 @@ export default defineNuxtPlugin({
             if (token) {
               tokenCookie.value = token;
             }
-            tokenRefreshInterval = window.setTimeout(createTokenRefreshInterval, 6e4);
+            tokenRefreshInterval = window.setTimeout(() => void createTokenRefreshInterval(), 6e4);
           }
-          createTokenRefreshInterval();
+          await createTokenRefreshInterval();
         }
       }, { immediate: true });
     }

package/dist/runtime/server/middleware/auth.js

@@ -1,6 +1,6 @@
-import { validateToken, extractTokenPayload } from "@meistrari/auth-core";
+import { extractTokenPayload, validateToken } from "@meistrari/auth-core";
 import { defineEventHandler, getCookie } from "h3";
-import { useRuntimeConfig } from "nitropack/runtime/config";
+import { useRuntimeConfig } from "nitropack/runtime";
 async function setAuthContext(event) {
   event.context.auth = {
     user: null,

package/dist/runtime/server/routes/auth/callback.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Server route handler for OAuth 2.0 PKCE callback
+ *
+ * This route:
+ * 1. Receives the authorization code and state from the OAuth provider
+ * 2. Retrieves the code verifier from a secure cookie
+ * 3. Exchanges the code for access and refresh tokens
+ * 4. Sets authentication cookies
+ * 5. Redirects to the home page or login page on error
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<void>>;
+export default _default;

package/dist/runtime/server/routes/auth/callback.js

@@ -0,0 +1,49 @@
+import { useRuntimeConfig } from "#imports";
+import { defineEventHandler, deleteCookie, getCookie, getQuery, sendRedirect, setCookie } from "h3";
+import { createNuxtAuthClient } from "../../../shared.js";
+export default defineEventHandler(async (event) => {
+  const query = getQuery(event);
+  const code = query.code;
+  const state = query.state;
+  const config = useRuntimeConfig();
+  const authConfig = config.public.telaAuth;
+  const loginPath = authConfig.application?.loginPath ?? "/login";
+  if (!code || !state) {
+    console.error("[Auth Callback] Missing code or state parameter");
+    return await sendRedirect(event, `${loginPath}?error=invalid_callback`);
+  }
+  const codeVerifier = getCookie(event, `tela-verifier-${state}`);
+  if (!codeVerifier) {
+    console.error("[Auth Callback] Code verifier not found in cookies");
+    return await sendRedirect(event, `${loginPath}?error=verifier_missing`);
+  }
+  try {
+    const authClient = createNuxtAuthClient(
+      authConfig.apiUrl,
+      () => null,
+      () => null
+    );
+    const { accessToken, refreshToken } = await authClient.application.completeAuthorizationFlow(code, codeVerifier);
+    setCookie(event, "tela-access-token", accessToken, {
+      secure: !import.meta.dev,
+      sameSite: "lax",
+      maxAge: 60 * 15,
+      // 15 minutes
+      path: "/"
+    });
+    setCookie(event, "tela-refresh-token", refreshToken, {
+      secure: !import.meta.dev,
+      sameSite: "lax",
+      httpOnly: true,
+      maxAge: 60 * 60 * 24 * 7,
+      // 7 days
+      path: "/"
+    });
+    deleteCookie(event, `tela-verifier-${state}`, { path: "/" });
+    return await sendRedirect(event, "/");
+  } catch (error) {
+    console.error("[Auth Callback] OAuth flow error:", error);
+    deleteCookie(event, `tela-verifier-${state}`, { path: "/" });
+    return await sendRedirect(event, `${loginPath}?error=auth_failed`);
+  }
+});

package/dist/runtime/server/routes/auth/login.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Server route handler for OAuth 2.0 PKCE initialization
+ *
+ * This route:
+ * 1. Generates a cryptographically secure state key
+ * 2. Generates a code verifier for PKCE
+ * 3. Generates a code challenge from the verifier
+ * 4. Sets the verifier in a secure HTTP-only cookie
+ * 5. Returns only the state and challenge in the response body
+ *
+ * The client never has access to the verifier - it only receives the challenge
+ * and state to use in the authorization URL.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    state: string;
+    challenge: string;
+}>>;
+export default _default;

package/dist/runtime/server/routes/auth/login.js

@@ -0,0 +1,41 @@
+import { defineEventHandler, setCookie } from "h3";
+function hexEncode(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function generateStateKey() {
+  const array = new Uint8Array(8);
+  crypto.getRandomValues(array);
+  return hexEncode(array);
+}
+function generateCodeVerifier() {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  return base64UrlEncode(array);
+}
+function base64UrlEncode(bytes) {
+  return btoa(String.fromCharCode(...bytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function generateCodeChallenge(verifier) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+export default defineEventHandler(async (event) => {
+  const state = generateStateKey();
+  const verifier = generateCodeVerifier();
+  const challenge = await generateCodeChallenge(verifier);
+  setCookie(event, `tela-verifier-${state}`, verifier, {
+    secure: !import.meta.dev,
+    sameSite: "lax",
+    httpOnly: true,
+    // Server-only access
+    maxAge: 60 * 10,
+    // 10 minutes - just long enough for OAuth flow
+    path: "/"
+  });
+  return {
+    state,
+    challenge
+  };
+});

package/dist/runtime/server/routes/auth/logout.d.ts

@@ -0,0 +1,4 @@
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    success: boolean;
+}>>;
+export default _default;

package/dist/runtime/server/routes/auth/logout.js

@@ -0,0 +1,26 @@
+import { useRuntimeConfig } from "#imports";
+import { defineEventHandler, deleteCookie, getCookie } from "h3";
+import { createNuxtAuthClient } from "../../../shared.js";
+export default defineEventHandler(async (event) => {
+  const authConfig = useRuntimeConfig().public.telaAuth;
+  const refreshToken = getCookie(event, "tela-refresh-token");
+  deleteCookie(event, "tela-access-token", { path: "/" });
+  deleteCookie(event, "tela-refresh-token", { path: "/" });
+  try {
+    const authClient = createNuxtAuthClient(
+      authConfig.apiUrl,
+      () => null
+    );
+    if (refreshToken) {
+      await authClient.application.logout(refreshToken);
+    }
+    return {
+      success: true
+    };
+  } catch (error) {
+    console.error("[Auth Logout] Failed to logout:", error);
+    return {
+      success: true
+    };
+  }
+});

package/dist/runtime/server/routes/auth/organizations.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Server route handler for listing available organizations
+ *
+ * This route:
+ * 1. Retrieves the access token from the cookie
+ * 2. Calls the auth API to get the list of organizations the user can switch to
+ * 3. Returns the organizations data
+ *
+ * Returns only organizations that are entitled to the application and where
+ * the entitlement's access rules permit the current user.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    success: boolean;
+    organizations: import("@meistrari/auth-core").Organization[];
+}>>;
+export default _default;

package/dist/runtime/server/routes/auth/organizations.js

@@ -0,0 +1,40 @@
+import { createError, useRuntimeConfig } from "#imports";
+import { defineEventHandler, getCookie } from "h3";
+import { createNuxtAuthClient } from "../../../shared.js";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const authConfig = config.public.telaAuth;
+  const accessToken = getCookie(event, "tela-access-token");
+  if (!accessToken) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized",
+      message: "No access token found"
+    });
+  }
+  if (!authConfig.application?.applicationId) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Internal Server Error",
+      message: "Application ID is not configured"
+    });
+  }
+  try {
+    const authClient = createNuxtAuthClient(
+      authConfig.apiUrl,
+      () => accessToken
+    );
+    const { organizations } = await authClient.application.listCandidateOrganizations(authConfig.application.applicationId);
+    return {
+      success: true,
+      organizations
+    };
+  } catch (error) {
+    console.error("[Auth Orgs] Failed to list organizations:", error);
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Internal Server Error",
+      message: "Failed to list organizations"
+    });
+  }
+});

package/dist/runtime/server/routes/auth/refresh.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Server route handler for token refresh
+ *
+ * This route:
+ * 1. Retrieves the refresh token from the secure httponly cookie
+ * 2. Calls the auth API to exchange it for new tokens
+ * 3. Sets the new access and refresh tokens in secure cookies
+ * 4. Returns the user and organization data
+ *
+ * This keeps the refresh token secure by never exposing it to the client.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    success: boolean;
+    user: {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+        twoFactorEnabled: boolean | null | undefined;
+        banned: boolean | null | undefined;
+        role?: string | null | undefined;
+        banReason?: string | null | undefined;
+        banExpires?: Date | null | undefined;
+        lastActiveAt?: Date | null | undefined;
+    };
+    organization: {
+        id: string;
+        title: string;
+        slug: string | null;
+        avatarUrl: string | null;
+        createdAt: Date;
+        metadata: string | null;
+        settings: unknown;
+    };
+}>>;
+export default _default;

package/dist/runtime/server/routes/auth/refresh.js

@@ -0,0 +1,54 @@
+import { createError, useRuntimeConfig } from "#imports";
+import { defineEventHandler, deleteCookie, getCookie, setCookie } from "h3";
+import { createNuxtAuthClient } from "../../../shared.js";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const authConfig = config.public.telaAuth;
+  const refreshToken = getCookie(event, "tela-refresh-token");
+  if (!refreshToken) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized",
+      message: "No refresh token found"
+    });
+  }
+  try {
+    const authClient = createNuxtAuthClient(
+      authConfig.apiUrl,
+      () => null,
+      () => refreshToken
+    );
+    const { accessToken, refreshToken: newRefreshToken, user, organization } = await authClient.application.refreshAccessToken(refreshToken);
+    setCookie(event, "tela-access-token", accessToken, {
+      secure: !import.meta.dev,
+      sameSite: "lax",
+      maxAge: 60 * 15,
+      // 15 minutes
+      priority: "high",
+      path: "/"
+    });
+    setCookie(event, "tela-refresh-token", newRefreshToken, {
+      secure: !import.meta.dev,
+      sameSite: "lax",
+      httpOnly: true,
+      maxAge: 60 * 60 * 24 * 7,
+      // 7 days
+      priority: "high",
+      path: "/"
+    });
+    return {
+      success: true,
+      user,
+      organization
+    };
+  } catch (error) {
+    console.error("[Auth Refresh] Token refresh error:", error);
+    deleteCookie(event, "tela-access-token", { path: "/" });
+    deleteCookie(event, "tela-refresh-token", { path: "/" });
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized",
+      message: "Failed to refresh access token"
+    });
+  }
+});

package/dist/runtime/server/routes/auth/switch-organization.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Server route handler for switching organizations
+ *
+ * This route:
+ * 1. Retrieves the access token from the cookie
+ * 2. Calls the auth API to switch to the specified organization
+ * 3. Sets the new access and refresh tokens in secure cookies
+ * 4. Returns the user and organization data
+ *
+ * The organization must be entitled to the application and the entitlement's
+ * access rules must allow the current user.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    success: boolean;
+    user: {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+        twoFactorEnabled: boolean | null | undefined;
+        banned: boolean | null | undefined;
+        role?: string | null | undefined;
+        banReason?: string | null | undefined;
+        banExpires?: Date | null | undefined;
+        lastActiveAt?: Date | null | undefined;
+    };
+    organization: {
+        id: string;
+        title: string;
+        slug: string | null;
+        avatarUrl: string | null;
+        createdAt: Date;
+        metadata: string | null;
+        settings: unknown;
+    };
+}>>;
+export default _default;

package/dist/runtime/server/routes/auth/switch-organization.js

@@ -0,0 +1,59 @@
+import { createError, useRuntimeConfig } from "#imports";
+import { defineEventHandler, getCookie, readBody, setCookie } from "h3";
+import { createNuxtAuthClient } from "../../../shared.js";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const authConfig = config.public.telaAuth;
+  const accessToken = getCookie(event, "tela-access-token");
+  if (!accessToken) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized",
+      message: "No access token found"
+    });
+  }
+  const body = await readBody(event);
+  if (!body?.organizationId) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Bad Request",
+      message: "Organization ID is required"
+    });
+  }
+  try {
+    const authClient = createNuxtAuthClient(
+      authConfig.apiUrl,
+      () => accessToken
+    );
+    const { accessToken: newAccessToken, refreshToken: newRefreshToken, user, organization } = await authClient.application.switchOrganization(body.organizationId, accessToken);
+    setCookie(event, "tela-access-token", newAccessToken, {
+      secure: !import.meta.dev,
+      sameSite: "lax",
+      maxAge: 60 * 15,
+      // 15 minutes
+      priority: "high",
+      path: "/"
+    });
+    setCookie(event, "tela-refresh-token", newRefreshToken, {
+      secure: !import.meta.dev,
+      sameSite: "lax",
+      httpOnly: true,
+      maxAge: 60 * 60 * 24 * 7,
+      // 7 days
+      priority: "high",
+      path: "/"
+    });
+    return {
+      success: true,
+      user,
+      organization
+    };
+  } catch (error) {
+    console.error("[Auth Switch Org] Failed to switch organization:", error);
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Internal Server Error",
+      message: "Failed to switch organization"
+    });
+  }
+});

package/dist/runtime/server/utils/require-auth.js

@@ -1,6 +1,6 @@
-import { useRuntimeConfig } from "nitropack/runtime";
 import { createError, defineEventHandler, getCookie } from "h3";
 import { createRemoteJWKSet, jwtVerify } from "jose";
+import { useRuntimeConfig } from "nitropack/runtime";
 export function requireAuth(handler, options) {
   return defineEventHandler(async (event) => {
     if (event.context.auth?.user && event.context.auth?.token) {
@@ -54,7 +54,7 @@ export function requireAuth(handler, options) {
         });
       }
       event.context.auth = { user: { ...payload.user, email: payload.email }, workspace: payload.workspace, token };
-      return handler(event);
+      return await handler(event);
     } catch (error) {
       if (error && typeof error === "object" && "statusCode" in error) {
         throw error;

package/dist/runtime/types/page-meta.d.ts

@@ -1,15 +1,14 @@
 declare type Roles = 'meistrari:admin' | (string & {})
 declare module '#app' {
-  interface PageMeta {
-    auth?: {
-      required: false
-    } | {
-      required: true
-      roles?: Roles[]
+    interface PageMeta {
+        auth?: {
+            required: false
+        } | {
+            required: true
+            roles?: Roles[]
+        }
     }
-  }
 }
 
 // It is always important to ensure you import/export something when augmenting a type
 export { }
-

package/package.json

@@ -1,56 +1,56 @@
 {
-    "name": "@meistrari/auth-nuxt",
-    "version": "2.1.3",
-    "type": "module",
-    "exports": {
-        ".": {
-            "types": "./dist/types.d.mts",
-            "import": "./dist/module.mjs"
-        },
-        "./server/middleware/auth": {
-            "types": "./dist/runtime/server/middleware/auth.d.ts",
-            "import": "./dist/runtime/server/middleware/auth.js"
-        },
-        "./core": {
-            "types": "./dist/core.d.mts",
-            "import": "./dist/core.mjs"
-        }
+  "name": "@meistrari/auth-nuxt",
+  "version": "2.2.0",
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/types.d.mts",
+      "import": "./dist/module.mjs"
     },
-    "main": "./dist/module.mjs",
-    "typesVersions": {
-        "*": {
-            ".": [
-                "./dist/types.d.mts"
-            ]
-        }
+    "./server/middleware/auth": {
+      "types": "./dist/runtime/server/middleware/auth.d.ts",
+      "import": "./dist/runtime/server/middleware/auth.js"
     },
-    "files": [
-        "dist"
-    ],
-    "scripts": {
-        "build": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxt-module-build build"
-    },
-    "dependencies": {
-        "@meistrari/auth-core": "1.7.3",
-        "jose": "6.1.3"
-    },
-    "peerDependencies": {
-        "nuxt": "^3.0.0 || ^4.0.0",
-        "vue": "^3.0.0"
-    },
-    "devDependencies": {
-        "@nuxt/devtools": "2.6.3",
-        "@nuxt/eslint-config": "1.9.0",
-        "@nuxt/kit": "4.0.3",
-        "@nuxt/module-builder": "1.0.2",
-        "@nuxt/schema": "4.0.3",
-        "@nuxt/test-utils": "3.19.2",
-        "@types/node": "latest",
-        "changelogen": "0.6.2",
-        "nuxt": "4.0.3",
-        "typescript": "5.9.2",
-        "unbuild": "3.6.1",
-        "vitest": "3.2.4",
-        "vue-tsc": "3.0.6"
+    "./core": {
+      "types": "./dist/core.d.mts",
+      "import": "./dist/core.mjs"
+    }
+  },
+  "main": "./dist/module.mjs",
+  "typesVersions": {
+    "*": {
+      ".": [
+        "./dist/types.d.mts"
+      ]
     }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxt-module-build build"
+  },
+  "dependencies": {
+    "@meistrari/auth-core": "1.8.0",
+    "jose": "6.1.3"
+  },
+  "peerDependencies": {
+    "nuxt": "^3.0.0 || ^4.0.0",
+    "vue": "^3.0.0"
+  },
+  "devDependencies": {
+    "@nuxt/devtools": "2.6.3",
+    "@nuxt/eslint-config": "1.9.0",
+    "@nuxt/kit": "4.0.3",
+    "@nuxt/module-builder": "1.0.2",
+    "@nuxt/schema": "4.0.3",
+    "@nuxt/test-utils": "3.19.2",
+    "@types/node": "latest",
+    "changelogen": "0.6.2",
+    "nuxt": "4.0.3",
+    "typescript": "5.9.2",
+    "unbuild": "3.6.1",
+    "vitest": "3.2.4",
+    "vue-tsc": "3.0.6"
+  }
 }

package/dist/runtime/pages/callback.d.vue.ts

@@ -1,2 +0,0 @@
-declare const _default: import("vue").DefineComponent<{}, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {}, string, import("vue").PublicProps, Readonly<{}> & Readonly<{}>, {}, {}, {}, {}, string, import("vue").ComponentProvideOptions, true, {}, any>;
-export default _default;

package/dist/runtime/pages/callback.vue

@@ -1,35 +0,0 @@
-<script setup>
-import { navigateTo, useRuntimeConfig } from "#app";
-import { onMounted } from "vue";
-import { useTelaApplicationAuth } from "../composables/application-auth";
-const { initSession } = useTelaApplicationAuth();
-const config = useRuntimeConfig();
-const authConfig = config.public.telaAuth;
-const loginPath = authConfig.application?.loginPath ?? "/login";
-onMounted(async () => {
-  try {
-    await initSession();
-    navigateTo("/");
-  } catch (error) {
-    console.error("Session initialization failed:", error);
-    navigateTo({
-      path: loginPath,
-      query: { error: "session_failed" }
-    });
-  }
-});
-</script>
-
-<template>
-  <div class="callback-screen">
-    <div class="callback-square">
-      <div class="callback-border-mask">
-        <div class="callback-border-traveler" />
-      </div>
-    </div>
-  </div>
-</template>
-
-<style scoped>
-.callback-screen{align-items:center;background:#fff;display:flex;height:100dvh;inset:0;justify-content:center;position:fixed;width:100dvw;z-index:9999}.callback-square{background:#fff;border:4px solid #9ca1a9;height:2rem;position:relative;width:2rem}.callback-border-mask{border:4px solid transparent;inset:-4px;mask-clip:padding-box,border-box;-webkit-mask-clip:padding-box,border-box;-webkit-mask-composite:source-in,xor;mask-composite:intersect;-webkit-mask-composite:source-in;mask-image:linear-gradient(transparent,transparent),linear-gradient(#000,#000);-webkit-mask-image:linear-gradient(transparent,transparent),linear-gradient(#000,#000);position:absolute}.callback-border-traveler{animation:border-travel .8s ease-in-out infinite;aspect-ratio:1;background:#000;height:1rem;offset-path:rect(0 auto auto 0);position:absolute;width:40px}@keyframes border-travel{0%{offset-distance:0}to{offset-distance:100%}}
-</style>