@nexusrt/nexus-auth 1.0.0

package/dist/methods/sso.d.ts

@@ -0,0 +1,34 @@
+import type { SsoRegisterInput, SsoStartResponse, GenericSuccessResponse } from "../types";
+/**
+ * Multi-tenant SSO (Single Sign-On) methods.
+ *
+ * Two roles exist:
+ *
+ *   Organization Admin  → registers their company IDP via `registerProvider()`.
+ *   End User            → signs in through their company's IDP via `signIn()`.
+ *
+ * Sign-in flow:
+ *   1. Call `signIn(email)` → server resolves the org and returns a redirect URL.
+ *   2. Redirect the user to `auth_url` to complete sign-in with their IDP.
+ *
+ * ```ts
+ * const { auth_url } = await auth.sso.signIn(email);
+ * window.location.href = auth_url;
+ * ```
+ */
+export declare class SsoAuth {
+    /**
+     * Registers an organisation's Identity Provider (IDP) with the auth system.
+     * This is typically called once by an organisation admin during onboarding.
+     */
+    registerProvider(baseUrl: string, input: SsoRegisterInput): Promise<GenericSuccessResponse>;
+    /**
+     * Starts the SSO sign-in flow for an end user.
+     *
+     * The server resolves the correct IDP from the user's email domain
+     * and returns a redirect URL.  Redirect the user to that URL to
+     * complete sign-in with their organisation's IDP.
+     */
+    signIn(baseUrl: string, email: string): Promise<SsoStartResponse>;
+}
+//# sourceMappingURL=sso.d.ts.map

package/dist/methods/sso.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sso.d.ts","sourceRoot":"","sources":["../../src/methods/sso.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,gBAAgB,EAChB,gBAAgB,EAChB,sBAAsB,EACvB,MAAM,UAAU,CAAC;AAElB;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,OAAO;IAClB;;;OAGG;IACG,gBAAgB,CACpB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,gBAAgB,GACtB,OAAO,CAAC,sBAAsB,CAAC;IAiBlC;;;;;;OAMG;IACG,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;CAMxE"}

package/dist/methods/token.d.ts

@@ -0,0 +1,32 @@
+import type { AuthUser, JwtPayload } from "../types";
+/**
+ * Manages the in-memory access token and exposes token-based auth helpers.
+ *
+ * Storage strategy:
+ *   - Access tokens are kept in memory only (never localStorage) for security.
+ *   - Refresh tokens are stored in an HttpOnly cookie by the server.
+ */
+export declare class TokenManager {
+    private accessToken;
+    getAccessToken(): string | null;
+    setAccessToken(token: string): void;
+    clearAccessToken(): void;
+    /**
+     * Decodes the JWT payload without verifying the signature.
+     * Useful for reading user info (email, avatar) on the client side.
+     */
+    decodeToken(token: string): JwtPayload | null;
+    /**
+     * Reads user info directly from the stored access token.
+     * Returns null if no token is set or it cannot be decoded.
+     */
+    getUserFromToken(): Pick<AuthUser, "email" | "avatar_url"> | null;
+    /**
+     * Attempts to get a new access token using the HttpOnly refresh-token cookie.
+     * Call this once on app startup to restore an existing session.
+     *
+     * @returns The decoded user info on success, or null if no refresh token exists.
+     */
+    refresh(baseUrl: string): Promise<Pick<AuthUser, "email" | "avatar_url"> | null>;
+}
+//# sourceMappingURL=token.d.ts.map

package/dist/methods/token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../src/methods/token.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,QAAQ,EAER,UAAU,EACX,MAAM,UAAU,CAAC;AAElB;;;;;;GAMG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,WAAW,CAAuB;IAI1C,cAAc,IAAI,MAAM,GAAG,IAAI;IAI/B,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAInC,gBAAgB,IAAI,IAAI;IAMxB;;;OAGG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI;IAS7C;;;OAGG;IACH,gBAAgB,IAAI,IAAI,CAAC,QAAQ,EAAE,OAAO,GAAG,YAAY,CAAC,GAAG,IAAI;IAYjE;;;;;OAKG;IACG,OAAO,CACX,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,GAAG,YAAY,CAAC,GAAG,IAAI,CAAC;CAc1D"}

package/dist/methods/totp.d.ts

@@ -0,0 +1,34 @@
+import type { TotpSetupResponse, MfaVerifyInput, GenericSuccessResponse } from "../types";
+/**
+ * TOTP (Time-based One-Time Password) MFA management.
+ *
+ * Setup flow:
+ *   1. Call `setup()` → server returns a QR code / TOTP secret.
+ *   2. User scans with their authenticator app.
+ *   3. Call `confirmSetup(code)` with the first code to activate TOTP.
+ *
+ * Sign-in flow (when signIn returns `status === SignInStatus.TOTP_REQUIRED`):
+ *   1. Prompt user for their TOTP code.
+ *   2. Call `verifySignIn({ sessionId: data.mfa, code })` to complete sign-in.
+ */
+export declare class TotpAuth {
+    /**
+     * Starts TOTP registration — returns the secret / QR code to display.
+     */
+    setup(baseUrl: string): Promise<TotpSetupResponse>;
+    /**
+     * Confirms the TOTP setup by verifying the first code from the
+     * authenticator app.
+     */
+    confirmSetup(baseUrl: string, code: string): Promise<GenericSuccessResponse>;
+    /**
+     * Completes a TOTP sign-in challenge.
+     * Use the `mfa` session ID returned by `emailPassword.signIn()` as `sessionId`.
+     */
+    verifySignIn(baseUrl: string, input: MfaVerifyInput): Promise<GenericSuccessResponse>;
+    /**
+     * Removes TOTP from the currently authenticated user's account.
+     */
+    delete(baseUrl: string): Promise<void>;
+}
+//# sourceMappingURL=totp.d.ts.map

package/dist/methods/totp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"totp.d.ts","sourceRoot":"","sources":["../../src/methods/totp.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,iBAAiB,EACjB,cAAc,EACd,sBAAsB,EACvB,MAAM,UAAU,CAAC;AAElB;;;;;;;;;;;GAWG;AACH,qBAAa,QAAQ;IACnB;;OAEG;IACG,KAAK,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAOxD;;;OAGG;IACG,YAAY,CAChB,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,sBAAsB,CAAC;IAUlC;;;OAGG;IACG,YAAY,CAChB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,cAAc,GACpB,OAAO,CAAC,sBAAsB,CAAC;IAalC;;OAEG;IACG,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG7C"}

package/dist/providers/social.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Social / OAuth provider sign-in methods.
+ *
+ * Each method redirects the browser to the provider's OAuth flow.
+ * After successful authentication the server will redirect back to
+ * your application with a session cookie (or access token, depending
+ * on your server configuration).
+ *
+ * These are simple redirects — no async call is needed.
+ */
+export declare class SocialAuth {
+    private readonly baseUrl;
+    constructor(baseUrl: string);
+    /** Redirects to Google OAuth sign-in. */
+    signInWithGoogle(): void;
+    /** Redirects to GitHub OAuth sign-in. */
+    signInWithGithub(): void;
+    /** Redirects to LinkedIn OAuth sign-in. */
+    signInWithLinkedIn(): void;
+    /** Redirects to Okta OAuth sign-in. */
+    signInWithOkta(): void;
+}
+//# sourceMappingURL=social.d.ts.map

package/dist/providers/social.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"social.d.ts","sourceRoot":"","sources":["../../src/providers/social.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,qBAAa,UAAU;IACT,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAAP,OAAO,EAAE,MAAM;IAE5C,yCAAyC;IACzC,gBAAgB,IAAI,IAAI;IAIxB,yCAAyC;IACzC,gBAAgB,IAAI,IAAI;IAIxB,2CAA2C;IAC3C,kBAAkB,IAAI,IAAI;IAI1B,uCAAuC;IACvC,cAAc,IAAI,IAAI;CAGvB"}

package/dist/types/index.d.ts

@@ -0,0 +1,92 @@
+export interface AuthUser {
+    email: string;
+    avatar_url?: string;
+    [key: string]: unknown;
+}
+export interface JwtPayload {
+    email: string;
+    avatar_url?: string;
+    [key: string]: unknown;
+}
+export interface RefreshTokenResponse {
+    access_token: string;
+}
+export interface SignInResponse {
+    access_token?: string;
+    status?: SignInStatus;
+    mfa?: string;
+}
+export interface MagicLinkResponse {
+    status: "MAGIC_LINK";
+    mfa: string;
+}
+export interface ForgotPasswordResponse {
+    status: "RESET_PASSWORD";
+    mfa: string;
+}
+export interface TotpSetupResponse {
+    totp: string;
+}
+export interface SsoStartResponse {
+    auth_url: string;
+}
+export interface SsoRegisterResponse {
+    [key: string]: unknown;
+}
+export interface GenericSuccessResponse {
+    [key: string]: unknown;
+}
+export declare const SignInStatus: {
+    /** Standard email+password sign-in succeeded — no MFA required */
+    readonly SUCCESS: "SUCCESS";
+    /** Server requires the user to complete an Email MFA challenge */
+    readonly MFA_REQUIRED: "MFA_REQUIRED";
+    /** Server requires the user to complete a TOTP challenge */
+    readonly TOTP_REQUIRED: "TOTP_REQUIRED";
+    /** Server sent a magic link/code to the user's email */
+    readonly MAGIC_LINK: "MAGIC_LINK";
+    /** Server sent a password-reset code to the user's email */
+    readonly RESET_PASSWORD: "RESET_PASSWORD";
+};
+export type SignInStatus = (typeof SignInStatus)[keyof typeof SignInStatus];
+export interface AuthClientConfig {
+    /**
+     * Base URL of your auth server.
+     * @default "https://auth.jobtrk.com"
+     */
+    baseUrl?: string;
+}
+export interface EmailPasswordCredentials {
+    email: string;
+    password: string;
+    userName?: string;
+    firstName?: string;
+    lastName?: string;
+}
+export interface MfaVerifyInput {
+    /** The session ID returned from the initial sign-in / magic-link call */
+    sessionId: string;
+    /** The one-time code entered by the user */
+    code: string;
+}
+export interface ResetPasswordInput {
+    oldPassword: string;
+    newPassword: string;
+}
+export interface ForgotPasswordConfirmInput {
+    /** The session ID returned from forgotPassword() */
+    sessionId: string;
+    /** The code emailed to the user */
+    code: string;
+    /** The new password to set */
+    password: string;
+}
+export interface SsoRegisterInput {
+    providerName: string;
+    providerEndEmail: string;
+    clientId: string;
+    clientSecret: string;
+    issuer: string;
+    callbackUrl: string;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,QAAQ;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAMD,MAAM,WAAW,oBAAoB;IACnC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,cAAc;IAC7B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,YAAY,CAAC;IACrB,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,gBAAgB,CAAC;IACzB,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,mBAAmB;IAClC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,sBAAsB;IACrC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAOD,eAAO,MAAM,YAAY;IACvB,kEAAkE;;IAGlE,kEAAkE;;IAGlE,4DAA4D;;IAG5D,wDAAwD;;IAGxD,4DAA4D;;CAEpD,CAAC;AAEX,MAAM,MAAM,YAAY,GAAG,CAAC,OAAO,YAAY,CAAC,CAAC,MAAM,OAAO,YAAY,CAAC,CAAC;AAM5E,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAMD,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,yEAAyE;IACzE,SAAS,EAAE,MAAM,CAAC;IAClB,4CAA4C;IAC5C,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,0BAA0B;IACzC,oDAAoD;IACpD,SAAS,EAAE,MAAM,CAAC;IAClB,mCAAmC;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,8BAA8B;IAC9B,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB"}

package/package.json

@@ -0,0 +1,43 @@
+{
+  "name": "@nexusrt/nexus-auth",
+  "version": "1.0.0",
+  "type": "module",
+  "description": "Universal TypeScript SDK for the Nexus authentication system",
+  "main": "./dist/index.js",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "rollup -c",
+    "dev": "tsup src/index.ts --format cjs,esm --dts --watch",
+    "typecheck": "tsc --noEmit"
+  },
+  "keywords": [
+    "auth",
+    "authentication",
+    "sdk",
+    "typescript",
+    "oauth",
+    "sso",
+    "mfa",
+    "totp"
+  ],
+  "license": "MIT",
+  "devDependencies": {
+    "@rollup/plugin-typescript": "^12.3.0",
+    "rollup": "^4.59.0",
+    "tslib": "^2.8.1",
+    "tsup": "^8.0.0",
+    "typescript": "^5.4.0"
+  }
+}