@meistrari/auth-nuxt 2.1.4 → 2.2.0

package/dist/module.d.mts

@@ -14,7 +14,7 @@ interface ModuleOptions {
         dashboardUrl: string;
         /** The ID of the application to authenticate with */
         applicationId: string;
-        /** The redirect URI to redirect to after authentication. Must be registered in the application's settings. */
+        /** The authentication callback URL. Usually `{your-app-url}/auth/callback` */
         redirectUri: string;
         /** Path to redirect to when authentication is required (default: '/login') */
         loginPath?: string;

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "@meistrari/auth-nuxt",
   "configKey": "telaAuth",
-  "version": "2.1.4",
+  "version": "2.2.0",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/module.mjs

@@ -1,4 +1,4 @@
-import { defineNuxtModule, createResolver, addImports, addPlugin, extendPages, addComponent, addServerImportsDir, addServerHandler } from '@nuxt/kit';
+import { defineNuxtModule, createResolver, addImports, addComponent, addServerImportsDir, addServerHandler, addPlugin } from '@nuxt/kit';
 
 const module$1 = defineNuxtModule({
   meta: {
@@ -18,14 +18,6 @@ const module$1 = defineNuxtModule({
         as: "useTelaApplicationAuth",
         from: resolver.resolve("runtime/composables/application-auth")
       });
-      addPlugin(resolver.resolve("./runtime/plugins/application-token-refresh"));
-      extendPages((pages) => {
-        pages.unshift({
-          name: "auth-callback",
-          path: "/auth/callback",
-          file: resolver.resolve("./runtime/pages/callback.vue")
-        });
-      });
       addComponent({
         name: "TelaRole",
         filePath: resolver.resolve("./runtime/components/tela-role.vue"),
@@ -37,8 +29,6 @@ const module$1 = defineNuxtModule({
           path: resolver.resolve("./runtime/types/page-meta.d.ts")
         });
       });
-      addPlugin(resolver.resolve("./runtime/plugins/auth-guard"));
-      addPlugin(resolver.resolve("./runtime/plugins/directives"));
       addServerImportsDir(resolver.resolve("./runtime/server/utils"));
       if (!options.skipServerMiddleware) {
         addServerHandler({
@@ -46,6 +36,39 @@ const module$1 = defineNuxtModule({
           handler: resolver.resolve("./runtime/server/middleware/application-auth")
         });
       }
+      addServerHandler({
+        route: "/auth/callback",
+        handler: resolver.resolve("./runtime/server/routes/auth/callback"),
+        method: "get"
+      });
+      addServerHandler({
+        route: "/auth/login",
+        handler: resolver.resolve("./runtime/server/routes/auth/login"),
+        method: "post"
+      });
+      addServerHandler({
+        route: "/auth/refresh",
+        handler: resolver.resolve("./runtime/server/routes/auth/refresh"),
+        method: "post"
+      });
+      addServerHandler({
+        route: "/auth/logout",
+        handler: resolver.resolve("./runtime/server/routes/auth/logout"),
+        method: "post"
+      });
+      addServerHandler({
+        route: "/auth/organizations",
+        handler: resolver.resolve("./runtime/server/routes/auth/organizations"),
+        method: "get"
+      });
+      addServerHandler({
+        route: "/auth/switch-organization",
+        handler: resolver.resolve("./runtime/server/routes/auth/switch-organization"),
+        method: "post"
+      });
+      addPlugin(resolver.resolve("./runtime/plugins/application-token-refresh"));
+      addPlugin(resolver.resolve("./runtime/plugins/auth-guard"));
+      addPlugin(resolver.resolve("./runtime/plugins/directives"));
       return;
     }
     if (!options.skipServerMiddleware) {

package/dist/runtime/composables/application-auth.d.ts

@@ -1,3 +1,11 @@
+type RawOrganization = {
+    title: string;
+    id: string;
+    createdAt: Date;
+    avatarUrl: string | null;
+    metadata: string | null;
+    slug: string | null;
+};
 /**
  * Composable for managing Tela application authentication with OAuth 2.0 PKCE flow
  *
@@ -36,8 +44,9 @@ export declare function useTelaApplicationAuth(): {
     login: () => Promise<void>;
     logout: () => Promise<void>;
     initSession: () => Promise<void>;
-    getAvailableOrganizations: () => Promise<import("@meistrari/auth-core").Organization[]>;
+    getAvailableOrganizations: () => Promise<RawOrganization[]>;
     switchOrganization: (organizationId: string) => Promise<void>;
+    refreshToken: () => Promise<void>;
     user: import("vue").Ref<{
         id: string;
         createdAt: Date;
@@ -69,3 +78,4 @@ export declare function useTelaApplicationAuth(): {
     } | null>;
     activeOrganization: import("vue").Ref<Omit<import("@meistrari/auth-core").FullOrganization, "members" | "invitations" | "teams"> | null, Omit<import("@meistrari/auth-core").FullOrganization, "members" | "invitations" | "teams"> | null>;
 };
+export {};

package/dist/runtime/composables/application-auth.js

@@ -1,38 +1,8 @@
-import { navigateTo, useCookie, useRoute, useRuntimeConfig } from "#app";
-import { AuthorizationFlowError, isTokenExpired, RefreshTokenExpiredError } from "@meistrari/auth-core";
-import { createNuxtAuthClient } from "../shared.js";
+import { navigateTo, useCookie, useRuntimeConfig } from "#app";
+import { AuthorizationFlowError, isTokenExpired, RefreshTokenExpiredError, UserNotLoggedInError } from "@meistrari/auth-core";
 import { useApplicationSessionState } from "./state.js";
-const SEVEN_DAYS = 60 * 60 * 24 * 7;
 const FIFTEEN_MINUTES = 60 * 15;
 const ONE_MINUTE = 60 * 1e3;
-function verifier(stateKey) {
-  return `code_verifier_${stateKey}`;
-}
-function hexEncode(bytes) {
-  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-function generateStateKey(query) {
-  if (query.state && typeof query.state === "string") {
-    return query.state;
-  }
-  const array = new Uint8Array(8);
-  crypto.getRandomValues(array);
-  return hexEncode(array);
-}
-function generateCodeVerifier() {
-  const array = new Uint8Array(32);
-  crypto.getRandomValues(array);
-  return base64UrlEncode(array);
-}
-async function generateCodeChallenge(verifier2) {
-  const encoder = new TextEncoder();
-  const data = encoder.encode(verifier2);
-  const digest = await crypto.subtle.digest("SHA-256", data);
-  return base64UrlEncode(new Uint8Array(digest));
-}
-function base64UrlEncode(bytes) {
-  return btoa(String.fromCharCode(...bytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
 function mapOrganization(organization) {
   return {
     name: organization.title,
@@ -45,18 +15,11 @@ function mapOrganization(organization) {
 }
 export function useTelaApplicationAuth() {
   const appConfig = useRuntimeConfig().public.telaAuth;
-  const query = useRoute().query;
   const accessTokenCookie = useCookie("tela-access-token", {
-    secure: true,
+    secure: !import.meta.dev,
     sameSite: "lax",
     maxAge: FIFTEEN_MINUTES
   });
-  const refreshTokenCookie = useCookie("tela-refresh-token", {
-    secure: true,
-    sameSite: "lax",
-    maxAge: SEVEN_DAYS
-  });
-  const authClient = createNuxtAuthClient(appConfig.apiUrl ?? "", () => null, () => refreshTokenCookie.value ?? null);
   const state = useApplicationSessionState();
   if (!appConfig.application?.dashboardUrl) {
     throw new Error(
@@ -78,13 +41,7 @@ export function useTelaApplicationAuth() {
     if (import.meta.server) {
       throw new AuthorizationFlowError("The login function can only be called on the client side.");
     }
-    if (typeof localStorage === "undefined") {
-      throw new AuthorizationFlowError("localStorage is not available. The login function must be called on the client side.");
-    }
-    const codeVerifier = generateCodeVerifier();
-    const codeChallenge = await generateCodeChallenge(codeVerifier);
-    const stateKey = generateStateKey(query);
-    localStorage.setItem(verifier(stateKey), codeVerifier);
+    const { state: stateKey, challenge: codeChallenge } = await $fetch("/auth/login", { method: "POST" });
     const url = new URL("/applications/login", appConfig.application?.dashboardUrl);
     url.searchParams.set("application_id", applicationId);
     url.searchParams.set("code_challenge", codeChallenge);
@@ -93,85 +50,52 @@ export function useTelaApplicationAuth() {
     await navigateTo(url.toString(), { external: true });
   }
   async function logout() {
-    accessTokenCookie.value = null;
-    refreshTokenCookie.value = null;
     state.user.value = null;
     state.activeOrganization.value = null;
-    if (typeof localStorage !== "undefined") {
-      for (const key in localStorage) {
-        if (key.startsWith("code_verifier_")) {
-          localStorage.removeItem(key);
-        }
-      }
-    }
-  }
-  async function exchangeCodeForToken() {
-    if (import.meta.server) {
-      throw new AuthorizationFlowError("The exchangeCodeForToken function can only be called on the client side.");
-    }
-    const code = query.code;
-    const stateKey = query.state;
-    if (!code) {
-      throw new AuthorizationFlowError("Authorization code not found in query parameters");
-    }
-    if (!stateKey) {
-      throw new AuthorizationFlowError("State parameter not found in query parameters");
-    }
-    if (typeof localStorage === "undefined") {
-      throw new AuthorizationFlowError("localStorage is not available");
-    }
-    const codeVerifierKey = verifier(stateKey);
-    const codeVerifier = localStorage.getItem(codeVerifierKey);
-    if (!codeVerifier) {
-      throw new AuthorizationFlowError("Code verifier not found. This may indicate a CSRF attack or expired session.");
-    }
-    try {
-      const { accessToken, refreshToken: refreshToken2, user, organization } = await authClient.application.completeAuthorizationFlow(code, codeVerifier);
-      accessTokenCookie.value = accessToken;
-      refreshTokenCookie.value = refreshToken2;
-      state.user.value = user;
-      state.activeOrganization.value = mapOrganization(organization);
-    } finally {
-      localStorage.removeItem(codeVerifierKey);
-    }
+    await $fetch("/auth/logout", { method: "POST" });
   }
   async function refreshToken() {
-    if (!refreshTokenCookie.value) {
+    try {
+      const result = await $fetch("/auth/refresh", {
+        method: "POST"
+      });
+      state.user.value = result.user;
+      state.activeOrganization.value = mapOrganization(result.organization);
+    } catch (error) {
+      console.error("[Auth Refresh] Failed to refresh token:", error);
       throw new RefreshTokenExpiredError();
     }
-    const { accessToken, refreshToken: refreshToken2, user, organization } = await authClient.application.refreshAccessToken(refreshTokenCookie.value);
-    accessTokenCookie.value = accessToken;
-    refreshTokenCookie.value = refreshToken2;
-    state.user.value = user;
-    state.activeOrganization.value = mapOrganization(organization);
   }
   async function initSession() {
-    const code = query.code;
-    if (code) {
-      await exchangeCodeForToken();
-    }
-    if (!accessTokenCookie.value && !refreshTokenCookie.value) {
-      throw new RefreshTokenExpiredError();
+    if (!accessTokenCookie.value) {
+      throw new UserNotLoggedInError("No access token found in cookies");
     }
     const isExpiredOrClose = accessTokenCookie.value ? isTokenExpired(accessTokenCookie.value, ONE_MINUTE) : true;
-    if (isExpiredOrClose && !refreshTokenCookie.value) {
-      await logout();
-      throw new RefreshTokenExpiredError();
-    }
-    if (isExpiredOrClose && refreshTokenCookie.value) {
+    if (isExpiredOrClose) {
       await refreshToken();
     }
   }
   async function getAvailableOrganizations() {
-    const { organizations } = await authClient.application.listCandidateOrganizations(applicationId);
-    return organizations;
+    try {
+      const result = await $fetch("/auth/organizations", { method: "GET" });
+      return result.organizations;
+    } catch (error) {
+      console.error("[Auth Orgs] Failed to list organizations:", error);
+      throw error;
+    }
   }
   async function switchOrganization(organizationId) {
-    const { accessToken, refreshToken: refreshToken2, user, organization } = await authClient.application.switchOrganization(organizationId, accessTokenCookie.value ?? "");
-    accessTokenCookie.value = accessToken;
-    refreshTokenCookie.value = refreshToken2;
-    state.user.value = user;
-    state.activeOrganization.value = mapOrganization(organization);
+    try {
+      const result = await $fetch("/auth/switch-organization", {
+        method: "POST",
+        body: { organizationId }
+      });
+      state.user.value = result.user;
+      state.activeOrganization.value = mapOrganization(result.organization);
+    } catch (error) {
+      console.error("[Auth Switch Org] Failed to switch organization:", error);
+      throw error;
+    }
   }
   return {
     ...state,
@@ -179,6 +103,7 @@ export function useTelaApplicationAuth() {
     logout,
     initSession,
     getAvailableOrganizations,
-    switchOrganization
+    switchOrganization,
+    refreshToken
   };
 }

package/dist/runtime/plugins/application-token-refresh.js

@@ -1,6 +1,6 @@
 import { defineNuxtPlugin, useCookie, useRuntimeConfig } from "#app";
-import { isTokenExpired, RefreshTokenExpiredError } from "@meistrari/auth-core";
-import { watch } from "vue";
+import { isTokenExpired } from "@meistrari/auth-core";
+import { decodeJwt } from "jose";
 import { useTelaApplicationAuth } from "../composables/application-auth.js";
 import { useApplicationSessionState } from "../composables/state.js";
 import { createNuxtAuthClient } from "../shared.js";
@@ -9,11 +9,7 @@ const FIFTEEN_MINUTES = 60 * 15;
 const TWO_MINUTES = 2 * 60 * 1e3;
 function parseTokenExpiry(token) {
   try {
-    const tokenParts = token.split(".");
-    const payloadPart = tokenParts[1];
-    if (!payloadPart)
-      return null;
-    const payload = JSON.parse(atob(payloadPart));
+    const payload = decodeJwt(token);
     if (!payload.exp)
       return null;
     return payload.exp * 1e3;
@@ -42,12 +38,13 @@ export default defineNuxtPlugin({
     const state = useApplicationSessionState();
     const { login, logout: sdkLogout } = useTelaApplicationAuth();
     const accessTokenCookie = useCookie("tela-access-token", {
-      secure: true,
+      secure: !import.meta.dev,
       sameSite: "lax",
       maxAge: FIFTEEN_MINUTES
     });
     const refreshTokenCookie = useCookie("tela-refresh-token", {
-      secure: true,
+      httpOnly: true,
+      secure: !import.meta.dev,
       sameSite: "lax",
       maxAge: SEVEN_DAYS
     });
@@ -60,12 +57,17 @@ export default defineNuxtPlugin({
       }
       isRefreshing = true;
       try {
-        if (!refreshTokenCookie.value) {
-          throw new RefreshTokenExpiredError();
+        if (import.meta.server) {
+          const { accessToken, refreshToken: refreshToken2, user: user2, organization: organization2 } = await authClient.application.refreshAccessToken(refreshTokenCookie.value ?? "");
+          accessTokenCookie.value = accessToken;
+          refreshTokenCookie.value = refreshToken2;
+          state.user.value = user2;
+          state.activeOrganization.value = mapOrganization(organization2);
+          return;
         }
-        const { accessToken, refreshToken: refreshToken2, user, organization } = await authClient.application.refreshAccessToken(refreshTokenCookie.value);
-        accessTokenCookie.value = accessToken;
-        refreshTokenCookie.value = refreshToken2;
+        const { user, organization } = await $fetch("/auth/refresh", {
+          method: "POST"
+        });
         state.user.value = user;
         state.activeOrganization.value = mapOrganization(organization);
       } catch {
@@ -79,7 +81,6 @@ export default defineNuxtPlugin({
     }
     function logout() {
       accessTokenCookie.value = null;
-      refreshTokenCookie.value = null;
       state.user.value = null;
       state.activeOrganization.value = null;
     }
@@ -134,11 +135,7 @@ export default defineNuxtPlugin({
       return;
     }
     if (import.meta.client) {
-      watch(refreshTokenCookie, async (newVal) => {
-        if (newVal) {
-          await scheduleTokenRefresh();
-        }
-      }, { immediate: true });
+      void scheduleTokenRefresh();
     }
   }
 });

package/dist/runtime/server/routes/auth/callback.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Server route handler for OAuth 2.0 PKCE callback
+ *
+ * This route:
+ * 1. Receives the authorization code and state from the OAuth provider
+ * 2. Retrieves the code verifier from a secure cookie
+ * 3. Exchanges the code for access and refresh tokens
+ * 4. Sets authentication cookies
+ * 5. Redirects to the home page or login page on error
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<void>>;
+export default _default;

package/dist/runtime/server/routes/auth/callback.js

@@ -0,0 +1,49 @@
+import { useRuntimeConfig } from "#imports";
+import { defineEventHandler, deleteCookie, getCookie, getQuery, sendRedirect, setCookie } from "h3";
+import { createNuxtAuthClient } from "../../../shared.js";
+export default defineEventHandler(async (event) => {
+  const query = getQuery(event);
+  const code = query.code;
+  const state = query.state;
+  const config = useRuntimeConfig();
+  const authConfig = config.public.telaAuth;
+  const loginPath = authConfig.application?.loginPath ?? "/login";
+  if (!code || !state) {
+    console.error("[Auth Callback] Missing code or state parameter");
+    return await sendRedirect(event, `${loginPath}?error=invalid_callback`);
+  }
+  const codeVerifier = getCookie(event, `tela-verifier-${state}`);
+  if (!codeVerifier) {
+    console.error("[Auth Callback] Code verifier not found in cookies");
+    return await sendRedirect(event, `${loginPath}?error=verifier_missing`);
+  }
+  try {
+    const authClient = createNuxtAuthClient(
+      authConfig.apiUrl,
+      () => null,
+      () => null
+    );
+    const { accessToken, refreshToken } = await authClient.application.completeAuthorizationFlow(code, codeVerifier);
+    setCookie(event, "tela-access-token", accessToken, {
+      secure: !import.meta.dev,
+      sameSite: "lax",
+      maxAge: 60 * 15,
+      // 15 minutes
+      path: "/"
+    });
+    setCookie(event, "tela-refresh-token", refreshToken, {
+      secure: !import.meta.dev,
+      sameSite: "lax",
+      httpOnly: true,
+      maxAge: 60 * 60 * 24 * 7,
+      // 7 days
+      path: "/"
+    });
+    deleteCookie(event, `tela-verifier-${state}`, { path: "/" });
+    return await sendRedirect(event, "/");
+  } catch (error) {
+    console.error("[Auth Callback] OAuth flow error:", error);
+    deleteCookie(event, `tela-verifier-${state}`, { path: "/" });
+    return await sendRedirect(event, `${loginPath}?error=auth_failed`);
+  }
+});

package/dist/runtime/server/routes/auth/login.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Server route handler for OAuth 2.0 PKCE initialization
+ *
+ * This route:
+ * 1. Generates a cryptographically secure state key
+ * 2. Generates a code verifier for PKCE
+ * 3. Generates a code challenge from the verifier
+ * 4. Sets the verifier in a secure HTTP-only cookie
+ * 5. Returns only the state and challenge in the response body
+ *
+ * The client never has access to the verifier - it only receives the challenge
+ * and state to use in the authorization URL.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    state: string;
+    challenge: string;
+}>>;
+export default _default;

package/dist/runtime/server/routes/auth/login.js

@@ -0,0 +1,41 @@
+import { defineEventHandler, setCookie } from "h3";
+function hexEncode(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function generateStateKey() {
+  const array = new Uint8Array(8);
+  crypto.getRandomValues(array);
+  return hexEncode(array);
+}
+function generateCodeVerifier() {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  return base64UrlEncode(array);
+}
+function base64UrlEncode(bytes) {
+  return btoa(String.fromCharCode(...bytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function generateCodeChallenge(verifier) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+export default defineEventHandler(async (event) => {
+  const state = generateStateKey();
+  const verifier = generateCodeVerifier();
+  const challenge = await generateCodeChallenge(verifier);
+  setCookie(event, `tela-verifier-${state}`, verifier, {
+    secure: !import.meta.dev,
+    sameSite: "lax",
+    httpOnly: true,
+    // Server-only access
+    maxAge: 60 * 10,
+    // 10 minutes - just long enough for OAuth flow
+    path: "/"
+  });
+  return {
+    state,
+    challenge
+  };
+});

package/dist/runtime/server/routes/auth/logout.d.ts

@@ -0,0 +1,4 @@
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    success: boolean;
+}>>;
+export default _default;

package/dist/runtime/server/routes/auth/logout.js

@@ -0,0 +1,26 @@
+import { useRuntimeConfig } from "#imports";
+import { defineEventHandler, deleteCookie, getCookie } from "h3";
+import { createNuxtAuthClient } from "../../../shared.js";
+export default defineEventHandler(async (event) => {
+  const authConfig = useRuntimeConfig().public.telaAuth;
+  const refreshToken = getCookie(event, "tela-refresh-token");
+  deleteCookie(event, "tela-access-token", { path: "/" });
+  deleteCookie(event, "tela-refresh-token", { path: "/" });
+  try {
+    const authClient = createNuxtAuthClient(
+      authConfig.apiUrl,
+      () => null
+    );
+    if (refreshToken) {
+      await authClient.application.logout(refreshToken);
+    }
+    return {
+      success: true
+    };
+  } catch (error) {
+    console.error("[Auth Logout] Failed to logout:", error);
+    return {
+      success: true
+    };
+  }
+});

package/dist/runtime/server/routes/auth/organizations.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Server route handler for listing available organizations
+ *
+ * This route:
+ * 1. Retrieves the access token from the cookie
+ * 2. Calls the auth API to get the list of organizations the user can switch to
+ * 3. Returns the organizations data
+ *
+ * Returns only organizations that are entitled to the application and where
+ * the entitlement's access rules permit the current user.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    success: boolean;
+    organizations: import("@meistrari/auth-core").Organization[];
+}>>;
+export default _default;

package/dist/runtime/server/routes/auth/organizations.js

@@ -0,0 +1,40 @@
+import { createError, useRuntimeConfig } from "#imports";
+import { defineEventHandler, getCookie } from "h3";
+import { createNuxtAuthClient } from "../../../shared.js";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const authConfig = config.public.telaAuth;
+  const accessToken = getCookie(event, "tela-access-token");
+  if (!accessToken) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized",
+      message: "No access token found"
+    });
+  }
+  if (!authConfig.application?.applicationId) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Internal Server Error",
+      message: "Application ID is not configured"
+    });
+  }
+  try {
+    const authClient = createNuxtAuthClient(
+      authConfig.apiUrl,
+      () => accessToken
+    );
+    const { organizations } = await authClient.application.listCandidateOrganizations(authConfig.application.applicationId);
+    return {
+      success: true,
+      organizations
+    };
+  } catch (error) {
+    console.error("[Auth Orgs] Failed to list organizations:", error);
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Internal Server Error",
+      message: "Failed to list organizations"
+    });
+  }
+});

package/dist/runtime/server/routes/auth/refresh.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Server route handler for token refresh
+ *
+ * This route:
+ * 1. Retrieves the refresh token from the secure httponly cookie
+ * 2. Calls the auth API to exchange it for new tokens
+ * 3. Sets the new access and refresh tokens in secure cookies
+ * 4. Returns the user and organization data
+ *
+ * This keeps the refresh token secure by never exposing it to the client.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    success: boolean;
+    user: {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+        twoFactorEnabled: boolean | null | undefined;
+        banned: boolean | null | undefined;
+        role?: string | null | undefined;
+        banReason?: string | null | undefined;
+        banExpires?: Date | null | undefined;
+        lastActiveAt?: Date | null | undefined;
+    };
+    organization: {
+        id: string;
+        title: string;
+        slug: string | null;
+        avatarUrl: string | null;
+        createdAt: Date;
+        metadata: string | null;
+        settings: unknown;
+    };
+}>>;
+export default _default;

package/dist/runtime/server/routes/auth/refresh.js

@@ -0,0 +1,54 @@
+import { createError, useRuntimeConfig } from "#imports";
+import { defineEventHandler, deleteCookie, getCookie, setCookie } from "h3";
+import { createNuxtAuthClient } from "../../../shared.js";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const authConfig = config.public.telaAuth;
+  const refreshToken = getCookie(event, "tela-refresh-token");
+  if (!refreshToken) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized",
+      message: "No refresh token found"
+    });
+  }
+  try {
+    const authClient = createNuxtAuthClient(
+      authConfig.apiUrl,
+      () => null,
+      () => refreshToken
+    );
+    const { accessToken, refreshToken: newRefreshToken, user, organization } = await authClient.application.refreshAccessToken(refreshToken);
+    setCookie(event, "tela-access-token", accessToken, {
+      secure: !import.meta.dev,
+      sameSite: "lax",
+      maxAge: 60 * 15,
+      // 15 minutes
+      priority: "high",
+      path: "/"
+    });
+    setCookie(event, "tela-refresh-token", newRefreshToken, {
+      secure: !import.meta.dev,
+      sameSite: "lax",
+      httpOnly: true,
+      maxAge: 60 * 60 * 24 * 7,
+      // 7 days
+      priority: "high",
+      path: "/"
+    });
+    return {
+      success: true,
+      user,
+      organization
+    };
+  } catch (error) {
+    console.error("[Auth Refresh] Token refresh error:", error);
+    deleteCookie(event, "tela-access-token", { path: "/" });
+    deleteCookie(event, "tela-refresh-token", { path: "/" });
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized",
+      message: "Failed to refresh access token"
+    });
+  }
+});

package/dist/runtime/server/routes/auth/switch-organization.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Server route handler for switching organizations
+ *
+ * This route:
+ * 1. Retrieves the access token from the cookie
+ * 2. Calls the auth API to switch to the specified organization
+ * 3. Sets the new access and refresh tokens in secure cookies
+ * 4. Returns the user and organization data
+ *
+ * The organization must be entitled to the application and the entitlement's
+ * access rules must allow the current user.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    success: boolean;
+    user: {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+        twoFactorEnabled: boolean | null | undefined;
+        banned: boolean | null | undefined;
+        role?: string | null | undefined;
+        banReason?: string | null | undefined;
+        banExpires?: Date | null | undefined;
+        lastActiveAt?: Date | null | undefined;
+    };
+    organization: {
+        id: string;
+        title: string;
+        slug: string | null;
+        avatarUrl: string | null;
+        createdAt: Date;
+        metadata: string | null;
+        settings: unknown;
+    };
+}>>;
+export default _default;

package/dist/runtime/server/routes/auth/switch-organization.js

@@ -0,0 +1,59 @@
+import { createError, useRuntimeConfig } from "#imports";
+import { defineEventHandler, getCookie, readBody, setCookie } from "h3";
+import { createNuxtAuthClient } from "../../../shared.js";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const authConfig = config.public.telaAuth;
+  const accessToken = getCookie(event, "tela-access-token");
+  if (!accessToken) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized",
+      message: "No access token found"
+    });
+  }
+  const body = await readBody(event);
+  if (!body?.organizationId) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Bad Request",
+      message: "Organization ID is required"
+    });
+  }
+  try {
+    const authClient = createNuxtAuthClient(
+      authConfig.apiUrl,
+      () => accessToken
+    );
+    const { accessToken: newAccessToken, refreshToken: newRefreshToken, user, organization } = await authClient.application.switchOrganization(body.organizationId, accessToken);
+    setCookie(event, "tela-access-token", newAccessToken, {
+      secure: !import.meta.dev,
+      sameSite: "lax",
+      maxAge: 60 * 15,
+      // 15 minutes
+      priority: "high",
+      path: "/"
+    });
+    setCookie(event, "tela-refresh-token", newRefreshToken, {
+      secure: !import.meta.dev,
+      sameSite: "lax",
+      httpOnly: true,
+      maxAge: 60 * 60 * 24 * 7,
+      // 7 days
+      priority: "high",
+      path: "/"
+    });
+    return {
+      success: true,
+      user,
+      organization
+    };
+  } catch (error) {
+    console.error("[Auth Switch Org] Failed to switch organization:", error);
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Internal Server Error",
+      message: "Failed to switch organization"
+    });
+  }
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meistrari/auth-nuxt",
-  "version": "2.1.4",
+  "version": "2.2.0",
   "type": "module",
   "exports": {
     ".": {
@@ -31,7 +31,7 @@
     "build": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxt-module-build build"
   },
   "dependencies": {
-    "@meistrari/auth-core": "1.7.4",
+    "@meistrari/auth-core": "1.8.0",
     "jose": "6.1.3"
   },
   "peerDependencies": {

package/dist/runtime/pages/callback.d.vue.ts

@@ -1,2 +0,0 @@
-declare const _default: import("vue").DefineComponent<{}, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {}, string, import("vue").PublicProps, Readonly<{}> & Readonly<{}>, {}, {}, {}, {}, string, import("vue").ComponentProvideOptions, true, {}, any>;
-export default _default;

package/dist/runtime/pages/callback.vue

@@ -1,35 +0,0 @@
-<script setup>
-import { navigateTo, useRuntimeConfig } from "#app";
-import { onMounted } from "vue";
-import { useTelaApplicationAuth } from "../composables/application-auth";
-const { initSession } = useTelaApplicationAuth();
-const config = useRuntimeConfig();
-const authConfig = config.public.telaAuth;
-const loginPath = authConfig.application?.loginPath ?? "/login";
-onMounted(async () => {
-  try {
-    await initSession();
-    navigateTo("/");
-  } catch (error) {
-    console.error("Session initialization failed:", error);
-    navigateTo({
-      path: loginPath,
-      query: { error: "session_failed" }
-    });
-  }
-});
-</script>
-
-<template>
-    <div class="callback-screen">
-        <div class="callback-square">
-            <div class="callback-border-mask">
-                <div class="callback-border-traveler" />
-            </div>
-        </div>
-    </div>
-</template>
-
-<style scoped>
-.callback-screen{align-items:center;background:#fff;display:flex;height:100dvh;inset:0;justify-content:center;position:fixed;width:100dvw;z-index:9999}.callback-square{background:#fff;border:4px solid #9ca1a9;height:2rem;position:relative;width:2rem}.callback-border-mask{border:4px solid transparent;inset:-4px;mask-clip:padding-box,border-box;-webkit-mask-clip:padding-box,border-box;-webkit-mask-composite:source-in,xor;mask-composite:intersect;-webkit-mask-composite:source-in;mask-image:linear-gradient(transparent,transparent),linear-gradient(#000,#000);-webkit-mask-image:linear-gradient(transparent,transparent),linear-gradient(#000,#000);position:absolute}.callback-border-traveler{animation:border-travel .8s ease-in-out infinite;aspect-ratio:1;background:#000;height:1rem;offset-path:rect(0 auto auto 0);position:absolute;width:40px}@keyframes border-travel{0%{offset-distance:0}to{offset-distance:100%}}
-</style>

package/dist/runtime/pages/callback.vue.d.ts

@@ -1,2 +0,0 @@
-declare const _default: import("vue").DefineComponent<{}, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {}, string, import("vue").PublicProps, Readonly<{}> & Readonly<{}>, {}, {}, {}, {}, string, import("vue").ComponentProvideOptions, true, {}, any>;
-export default _default;