@meistrari/auth-nuxt 3.7.0 → 3.8.0

package/README.md

@@ -12,9 +12,30 @@ This SDK supports two authentication models:
 ## Installation
 
 ```bash
-npm install @meistrari/auth-nuxt
+bun add @meistrari/auth-nuxt
 ```
 
+## Quick Start
+
+```ts
+export default defineNuxtConfig({
+  modules: ['@meistrari/auth-nuxt'],
+  telaAuth: {
+    apiUrl: 'https://auth.tela.com',
+    application: {
+      enabled: true,
+      dashboardUrl: 'https://accounts.tela.com',
+      applicationId: 'app_123',
+      redirectUri: 'https://your-app.com/auth/callback',
+    },
+  },
+})
+```
+
+Application auth auto-imports `useTelaApplicationAuth()`, registers `<TelaRole>`, installs role directives, and adds SDK routes under `/auth/*` plus `/api/auth/api-key/**`. `useTelaApiKey()` is also available; in application mode it targets the local API key proxy for app-scoped user API keys.
+
+First-party auth auto-imports `useTelaSession()`, `useTelaOrganization()`, and `useTelaApiKey()`.
+
 ## API Reference
 
 See it on [Pantry](https://pantry.tela.tools/ingredients/auth-nuxt/api)

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "@meistrari/auth-nuxt",
   "configKey": "telaAuth",
-  "version": "3.7.0",
+  "version": "3.8.0",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/module.mjs

@@ -12,6 +12,11 @@ const module$1 = defineNuxtModule({
   setup(options, nuxt) {
     const resolver = createResolver(import.meta.url);
     nuxt.options.runtimeConfig.public.telaAuth = options;
+    addImports({
+      name: "useTelaApiKey",
+      as: "useTelaApiKey",
+      from: resolver.resolve("runtime/composables/api-key")
+    });
     if (options.application?.enabled) {
       addImports({
         name: "useTelaApplicationAuth",
@@ -71,6 +76,10 @@ const module$1 = defineNuxtModule({
         handler: resolver.resolve("./runtime/server/routes/auth/whoami"),
         method: "get"
       });
+      addServerHandler({
+        route: "/api/auth/api-key/**",
+        handler: resolver.resolve("./runtime/server/routes/auth/api-key-proxy")
+      });
       addPlugin(resolver.resolve("./runtime/plugins/application-token-refresh"));
       addPlugin(resolver.resolve("./runtime/plugins/auth-guard"));
       addPlugin(resolver.resolve("./runtime/plugins/directives"));
@@ -92,11 +101,6 @@ const module$1 = defineNuxtModule({
       as: "useTelaOrganization",
       from: resolver.resolve("runtime/composables/organization")
     });
-    addImports({
-      name: "useTelaApiKey",
-      as: "useTelaApiKey",
-      from: resolver.resolve("runtime/composables/api-key")
-    });
     addPlugin(resolver.resolve("./runtime/plugins/handshake"));
   }
 });

package/dist/runtime/composables/api-key.js

@@ -1,9 +1,13 @@
-import { useCookie, useRuntimeConfig } from "#app";
+import { useCookie, useRequestURL, useRuntimeConfig } from "#app";
 import { createNuxtAuthClient } from "../shared.js";
 export function useTelaApiKey() {
-  const { jwtCookieName, apiUrl } = useRuntimeConfig().public.telaAuth;
-  const tokenCookie = useCookie(jwtCookieName);
-  const authClient = createNuxtAuthClient(apiUrl, () => tokenCookie.value ?? null);
+  const { application, jwtCookieName, apiUrl } = useRuntimeConfig().public.telaAuth;
+  const tokenCookie = useCookie(application?.enabled ? "tela-access-token" : jwtCookieName);
+  const requestUrl = useRequestURL();
+  const authClient = createNuxtAuthClient(
+    application?.enabled ? requestUrl.origin : apiUrl,
+    () => tokenCookie.value ?? null
+  );
   async function createApiKey(payload) {
     return await authClient.apiKey.createApiKey(payload);
   }

package/dist/runtime/server/routes/auth/api-key-proxy.d.ts

@@ -0,0 +1,2 @@
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<string>>;
+export default _default;

package/dist/runtime/server/routes/auth/api-key-proxy.js

@@ -0,0 +1,93 @@
+import { createError, useRuntimeConfig } from "#imports";
+import {
+  defineEventHandler,
+  getCookie,
+  getHeaders,
+  getRequestURL,
+  readRawBody,
+  setResponseHeader,
+  setResponseStatus
+} from "h3";
+const ALLOWED_REQUEST_HEADERS = /* @__PURE__ */ new Set([
+  "accept",
+  "content-type"
+]);
+const ALLOWED_RESPONSE_HEADERS = /* @__PURE__ */ new Set([
+  "cache-control",
+  "content-type"
+]);
+const ALLOWED_API_KEY_ROUTES = /* @__PURE__ */ new Map([
+  ["/api/auth/api-key/create", /* @__PURE__ */ new Set(["POST"])],
+  ["/api/auth/api-key/delete", /* @__PURE__ */ new Set(["POST"])],
+  ["/api/auth/api-key/get", /* @__PURE__ */ new Set(["GET"])],
+  ["/api/auth/api-key/list", /* @__PURE__ */ new Set(["GET"])],
+  ["/api/auth/api-key/update", /* @__PURE__ */ new Set(["POST"])]
+]);
+function getBearerToken(authorization) {
+  const value = Array.isArray(authorization) ? authorization[0] : authorization;
+  if (!value?.toLowerCase().startsWith("bearer ")) {
+    return void 0;
+  }
+  return value.slice("bearer ".length).trimStart() || void 0;
+}
+export default defineEventHandler(async (event) => {
+  const authConfig = useRuntimeConfig(event).public.telaAuth;
+  const requestUrl = getRequestURL(event);
+  const requestHeaders = getHeaders(event);
+  const accessToken = getCookie(event, "tela-access-token") ?? getBearerToken(requestHeaders.authorization);
+  const allowedMethods = ALLOWED_API_KEY_ROUTES.get(requestUrl.pathname);
+  if (!authConfig.application?.enabled) {
+    throw createError({
+      statusCode: 404,
+      statusMessage: "Not Found"
+    });
+  }
+  if (!accessToken) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized",
+      message: "No access token found"
+    });
+  }
+  if (!allowedMethods) {
+    throw createError({
+      statusCode: 404,
+      statusMessage: "Not Found"
+    });
+  }
+  if (!allowedMethods.has(event.method)) {
+    throw createError({
+      statusCode: 405,
+      statusMessage: "Method Not Allowed"
+    });
+  }
+  const origin = Array.isArray(requestHeaders.origin) ? requestHeaders.origin[0] : requestHeaders.origin;
+  if (event.method !== "GET" && origin && origin !== requestUrl.origin) {
+    throw createError({
+      statusCode: 403,
+      statusMessage: "Forbidden"
+    });
+  }
+  const targetUrl = new URL(requestUrl.pathname + requestUrl.search, authConfig.apiUrl);
+  const headers = new Headers();
+  for (const [name, value] of Object.entries(requestHeaders)) {
+    if (value && ALLOWED_REQUEST_HEADERS.has(name.toLowerCase())) {
+      headers.set(name, Array.isArray(value) ? value.join(", ") : value);
+    }
+  }
+  headers.set("Authorization", `Bearer ${accessToken}`);
+  const method = event.method;
+  const body = method === "GET" || method === "HEAD" ? void 0 : await readRawBody(event);
+  const response = await fetch(targetUrl, {
+    body,
+    headers,
+    method
+  });
+  setResponseStatus(event, response.status, response.statusText);
+  for (const [name, value] of response.headers) {
+    if (ALLOWED_RESPONSE_HEADERS.has(name.toLowerCase())) {
+      setResponseHeader(event, name, value);
+    }
+  }
+  return await response.text();
+});

package/dist/runtime/shared.js

@@ -8,7 +8,7 @@ export function createNuxtAuthClient(apiUrl, getAuthToken, getRefreshToken = ()
       "X-User-Agent": userAgent
     },
     onRequest: (context) => {
-      const requestUrl = new URL(context.url);
+      const requestUrl = new URL(context.url, "http://localhost");
       const token = getAuthToken();
       const isTokenRequest = requestUrl.pathname.endsWith("/api/auth/token");
       if (token && !isTokenRequest) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meistrari/auth-nuxt",
-  "version": "3.7.0",
+  "version": "3.8.0",
   "type": "module",
   "exports": {
     ".": {