@nuria-tech/auth-sdk 1.0.2 → 1.0.4

package/dist/index.d.cts

@@ -1,73 +1,6 @@
-interface TokenSet {
-    accessToken: string;
-    tokenType?: string;
-    expiresIn?: number;
-    refreshToken?: string;
-    idToken?: string;
-    scope?: string;
-    expiresAt?: number;
-}
-interface Session {
-    tokens: TokenSet;
-    createdAt: number;
-}
-interface StartLoginOptions {
-    loginHint?: string;
-    scopes?: string[];
-    extraParams?: Record<string, string>;
-}
-interface StorageAdapter {
-    get(key: string): Promise<string | null> | string | null;
-    set(key: string, value: string): Promise<void> | void;
-    remove(key: string): Promise<void> | void;
-}
-interface AuthTransportRequest {
-    method?: 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE';
-    headers?: Record<string, string>;
-    credentials?: RequestCredentials;
-    query?: Record<string, string | undefined>;
-    body?: unknown;
-    timeoutMs?: number;
-    retries?: number;
-}
-interface AuthTransportResponse<T = unknown> {
-    status: number;
-    data: T;
-    headers: Headers;
-}
-interface AuthTransport {
-    request<T = unknown>(url: string, req?: AuthTransportRequest): Promise<AuthTransportResponse<T>>;
-}
-interface TransportInterceptor {
-    onRequest?: (url: string, req: AuthTransportRequest) => Promise<AuthTransportRequest> | AuthTransportRequest;
-    onResponse?: <T>(res: AuthTransportResponse<T>) => Promise<AuthTransportResponse<T>> | AuthTransportResponse<T>;
-}
-interface AuthConfig {
-    clientId: string;
-    authorizationEndpoint: string;
-    tokenEndpoint: string;
-    redirectUri: string;
-    scope?: string;
-    logoutEndpoint?: string;
-    userinfoEndpoint?: string;
-    storage?: StorageAdapter;
-    transport?: AuthTransport;
-    onRedirect?: (url: string) => void | Promise<void>;
-    enableRefreshToken?: boolean;
-    now?: () => number;
-}
-interface AuthClient {
-    startLogin(options?: StartLoginOptions): Promise<void>;
-    handleRedirectCallback(callbackUrl?: string): Promise<Session>;
-    getSession(): Session | null;
-    getAccessToken(): Promise<string | null>;
-    logout(options?: {
-        returnTo?: string;
-    }): Promise<void>;
-    isAuthenticated(): boolean;
-    onAuthStateChanged(handler: (session: Session | null) => void): () => void;
-    getUserinfo(): Promise<Record<string, unknown>>;
-}
+import { A as AuthConfig, a as AuthClient, S as StorageAdapter, b as AuthTransport, T as TransportInterceptor, c as AuthTransportRequest, d as AuthTransportResponse } from './types-2k4ZYpF4.cjs';
+export { G as GoogleLoginOptions, L as LoginCodeChallengeOptions, P as PasswordLoginOptions, e as Session, f as StartLoginOptions, g as TokenSet, h as TwoFactorChallenge, V as VerifyLoginCodeOptions } from './types-2k4ZYpF4.cjs';
+export { C as CookieStorageAdapter } from './cookie-storage-adapter-FKYkZ--Y.cjs';
 
 declare function createAuthClient(config: AuthConfig): AuthClient;
 
@@ -86,19 +19,6 @@ declare class WebStorageAdapter implements StorageAdapter {
     remove(key: string): void;
 }
 
-interface CookieStorageCallbacks {
-    getCookie(name: string): string | null | Promise<string | null>;
-    setCookie(name: string, value: string): void | Promise<void>;
-    removeCookie(name: string): void | Promise<void>;
-}
-declare class CookieStorageAdapter implements StorageAdapter {
-    private readonly callbacks;
-    constructor(callbacks: CookieStorageCallbacks);
-    get(key: string): Promise<string | null>;
-    set(key: string, value: string): Promise<void>;
-    remove(key: string): Promise<void>;
-}
-
 interface BrowserCookieStorageOptions {
     domain?: string;
     path?: string;
@@ -142,4 +62,4 @@ declare class AuthError extends Error {
     constructor(code: AuthErrorCode, message: string, cause?: unknown | undefined);
 }
 
-export { type AuthClient, type AuthConfig, AuthError, AuthErrorCode, type AuthTransport, type AuthTransportRequest, type AuthTransportResponse, type BrowserCookieStorageOptions, CookieStorageAdapter, FetchAuthTransport, MemoryStorageAdapter, type Session, type StartLoginOptions, type StorageAdapter, type TokenSet, type TransportInterceptor, WebStorageAdapter, createAuthClient, createBrowserCookieStorage };
+export { AuthClient, AuthConfig, AuthError, AuthErrorCode, AuthTransport, AuthTransportRequest, AuthTransportResponse, type BrowserCookieStorageOptions, FetchAuthTransport, MemoryStorageAdapter, StorageAdapter, TransportInterceptor, WebStorageAdapter, createAuthClient, createBrowserCookieStorage };

package/dist/index.d.ts

@@ -1,73 +1,6 @@
-interface TokenSet {
-    accessToken: string;
-    tokenType?: string;
-    expiresIn?: number;
-    refreshToken?: string;
-    idToken?: string;
-    scope?: string;
-    expiresAt?: number;
-}
-interface Session {
-    tokens: TokenSet;
-    createdAt: number;
-}
-interface StartLoginOptions {
-    loginHint?: string;
-    scopes?: string[];
-    extraParams?: Record<string, string>;
-}
-interface StorageAdapter {
-    get(key: string): Promise<string | null> | string | null;
-    set(key: string, value: string): Promise<void> | void;
-    remove(key: string): Promise<void> | void;
-}
-interface AuthTransportRequest {
-    method?: 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE';
-    headers?: Record<string, string>;
-    credentials?: RequestCredentials;
-    query?: Record<string, string | undefined>;
-    body?: unknown;
-    timeoutMs?: number;
-    retries?: number;
-}
-interface AuthTransportResponse<T = unknown> {
-    status: number;
-    data: T;
-    headers: Headers;
-}
-interface AuthTransport {
-    request<T = unknown>(url: string, req?: AuthTransportRequest): Promise<AuthTransportResponse<T>>;
-}
-interface TransportInterceptor {
-    onRequest?: (url: string, req: AuthTransportRequest) => Promise<AuthTransportRequest> | AuthTransportRequest;
-    onResponse?: <T>(res: AuthTransportResponse<T>) => Promise<AuthTransportResponse<T>> | AuthTransportResponse<T>;
-}
-interface AuthConfig {
-    clientId: string;
-    authorizationEndpoint: string;
-    tokenEndpoint: string;
-    redirectUri: string;
-    scope?: string;
-    logoutEndpoint?: string;
-    userinfoEndpoint?: string;
-    storage?: StorageAdapter;
-    transport?: AuthTransport;
-    onRedirect?: (url: string) => void | Promise<void>;
-    enableRefreshToken?: boolean;
-    now?: () => number;
-}
-interface AuthClient {
-    startLogin(options?: StartLoginOptions): Promise<void>;
-    handleRedirectCallback(callbackUrl?: string): Promise<Session>;
-    getSession(): Session | null;
-    getAccessToken(): Promise<string | null>;
-    logout(options?: {
-        returnTo?: string;
-    }): Promise<void>;
-    isAuthenticated(): boolean;
-    onAuthStateChanged(handler: (session: Session | null) => void): () => void;
-    getUserinfo(): Promise<Record<string, unknown>>;
-}
+import { A as AuthConfig, a as AuthClient, S as StorageAdapter, b as AuthTransport, T as TransportInterceptor, c as AuthTransportRequest, d as AuthTransportResponse } from './types-2k4ZYpF4.js';
+export { G as GoogleLoginOptions, L as LoginCodeChallengeOptions, P as PasswordLoginOptions, e as Session, f as StartLoginOptions, g as TokenSet, h as TwoFactorChallenge, V as VerifyLoginCodeOptions } from './types-2k4ZYpF4.js';
+export { C as CookieStorageAdapter } from './cookie-storage-adapter-EJeGX8Tl.js';
 
 declare function createAuthClient(config: AuthConfig): AuthClient;
 
@@ -86,19 +19,6 @@ declare class WebStorageAdapter implements StorageAdapter {
     remove(key: string): void;
 }
 
-interface CookieStorageCallbacks {
-    getCookie(name: string): string | null | Promise<string | null>;
-    setCookie(name: string, value: string): void | Promise<void>;
-    removeCookie(name: string): void | Promise<void>;
-}
-declare class CookieStorageAdapter implements StorageAdapter {
-    private readonly callbacks;
-    constructor(callbacks: CookieStorageCallbacks);
-    get(key: string): Promise<string | null>;
-    set(key: string, value: string): Promise<void>;
-    remove(key: string): Promise<void>;
-}
-
 interface BrowserCookieStorageOptions {
     domain?: string;
     path?: string;
@@ -142,4 +62,4 @@ declare class AuthError extends Error {
     constructor(code: AuthErrorCode, message: string, cause?: unknown | undefined);
 }
 
-export { type AuthClient, type AuthConfig, AuthError, AuthErrorCode, type AuthTransport, type AuthTransportRequest, type AuthTransportResponse, type BrowserCookieStorageOptions, CookieStorageAdapter, FetchAuthTransport, MemoryStorageAdapter, type Session, type StartLoginOptions, type StorageAdapter, type TokenSet, type TransportInterceptor, WebStorageAdapter, createAuthClient, createBrowserCookieStorage };
+export { AuthClient, AuthConfig, AuthError, AuthErrorCode, AuthTransport, AuthTransportRequest, AuthTransportResponse, type BrowserCookieStorageOptions, FetchAuthTransport, MemoryStorageAdapter, StorageAdapter, TransportInterceptor, WebStorageAdapter, createAuthClient, createBrowserCookieStorage };

package/dist/index.js

@@ -68,23 +68,25 @@ var STORAGE_KEYS = {
   codeVerifier: "nuria:oauth:code_verifier"
 };
 function normalizeTokenSet(raw, now) {
-  var _a, _b, _c, _d, _e, _f;
-  const accessToken = (_a = raw.access_token) != null ? _a : raw.accessToken;
+  var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j;
+  const accessToken = (_b = (_a = raw.access_token) != null ? _a : raw.accessToken) != null ? _b : raw.Token;
   if (!accessToken || typeof accessToken !== "string") {
     throw new AuthError(
       "TOKEN_EXCHANGE_FAILED" /* TOKEN_EXCHANGE_FAILED */,
       "Missing access token in token response"
     );
   }
-  const expiresIn = Number((_c = (_b = raw.expires_in) != null ? _b : raw.expiresIn) != null ? _c : 0) || void 0;
+  const expiresIn = Number((_d = (_c = raw.expires_in) != null ? _c : raw.expiresIn) != null ? _d : 0) || void 0;
+  const expiresAtFromResponse = Number((_e = raw.ExpiresAt) != null ? _e : 0) || void 0;
+  const computedExpiresAt = expiresIn != null ? now() + expiresIn * 1e3 : expiresAtFromResponse ? expiresAtFromResponse : void 0;
   return {
     accessToken,
-    tokenType: (_d = raw.token_type) != null ? _d : raw.tokenType,
+    tokenType: (_g = (_f = raw.token_type) != null ? _f : raw.tokenType) != null ? _g : raw.TokenType,
     expiresIn,
-    refreshToken: (_e = raw.refresh_token) != null ? _e : raw.refreshToken,
-    idToken: (_f = raw.id_token) != null ? _f : raw.idToken,
+    refreshToken: (_i = (_h = raw.refresh_token) != null ? _h : raw.refreshToken) != null ? _i : raw.RefreshToken,
+    idToken: (_j = raw.id_token) != null ? _j : raw.idToken,
     scope: raw.scope,
-    expiresAt: expiresIn ? now() + expiresIn * 1e3 : void 0
+    expiresAt: computedExpiresAt
   };
 }
 async function safeGet(storage, key) {
@@ -335,7 +337,6 @@ var DefaultAuthClient = class {
         "State validation failed"
       );
     }
-    await safeRemove(this.storage, STORAGE_KEYS.state);
     return this.exchangeCode(code);
   }
   getSession() {
@@ -360,11 +361,27 @@ var DefaultAuthClient = class {
   }
   async logout(options) {
     if (options == null ? void 0 : options.returnTo) {
-      const returnTo = options.returnTo;
-      if (returnTo.startsWith("//") || !/^https?:\/\//.test(returnTo)) {
+      let returnToUrl;
+      try {
+        returnToUrl = new URL(options.returnTo);
+      } catch (e) {
+        throw new AuthError(
+          "INVALID_CONFIG" /* INVALID_CONFIG */,
+          "returnTo must be a valid absolute URL"
+        );
+      }
+      const isHttps = returnToUrl.protocol === "https:";
+      const isLocalHttp = returnToUrl.protocol === "http:" && (returnToUrl.hostname === "localhost" || returnToUrl.hostname === "127.0.0.1" || returnToUrl.hostname === "[::1]");
+      if (!isHttps && !isLocalHttp) {
         throw new AuthError(
           "INVALID_CONFIG" /* INVALID_CONFIG */,
-          "returnTo must be an absolute https:// or http:// URL"
+          "returnTo must use https:// (or http:// only for localhost)"
+        );
+      }
+      if (returnToUrl.username || returnToUrl.password) {
+        throw new AuthError(
+          "INVALID_CONFIG" /* INVALID_CONFIG */,
+          "returnTo must not include URL credentials"
         );
       }
     }
@@ -387,8 +404,12 @@ var DefaultAuthClient = class {
     }
   }
   isAuthenticated() {
-    var _a;
-    return Boolean((_a = this.session) == null ? void 0 : _a.tokens.accessToken);
+    var _a, _b;
+    const accessToken = (_a = this.session) == null ? void 0 : _a.tokens.accessToken;
+    if (!accessToken) return false;
+    const exp = (_b = this.session) == null ? void 0 : _b.tokens.expiresAt;
+    if (exp && exp <= this.now()) return false;
+    return true;
   }
   onAuthStateChanged(handler) {
     this.listeners.add(handler);
@@ -414,6 +435,103 @@ var DefaultAuthClient = class {
     );
     return response.data;
   }
+  async startLoginCodeChallenge(options) {
+    var _a, _b, _c, _d, _e, _f, _g;
+    if (!(options == null ? void 0 : options.email)) {
+      throw new AuthError(
+        "INVALID_CONFIG" /* INVALID_CONFIG */,
+        "email is required for startLoginCodeChallenge"
+      );
+    }
+    const response = await this.transport.request(
+      `${this.config.baseUrl}/v2/login-code/challenge`,
+      {
+        method: "POST",
+        credentials: "include",
+        body: {
+          email: options.email,
+          channel: (_a = options.channel) != null ? _a : "email",
+          destination: options.destination,
+          purpose: (_b = options.purpose) != null ? _b : "login"
+        }
+      }
+    );
+    return {
+      challengeId: String((_c = response.data.challengeId) != null ? _c : ""),
+      channel: String((_d = response.data.channel) != null ? _d : ""),
+      destinationMasked: String((_e = response.data.destinationMasked) != null ? _e : ""),
+      expiresAt: Number((_f = response.data.expiresAt) != null ? _f : 0),
+      purpose: String((_g = response.data.purpose) != null ? _g : "login")
+    };
+  }
+  async verifyLoginCode(options) {
+    if (!(options == null ? void 0 : options.challengeId) || !(options == null ? void 0 : options.code)) {
+      throw new AuthError(
+        "INVALID_CONFIG" /* INVALID_CONFIG */,
+        "challengeId and code are required for verifyLoginCode"
+      );
+    }
+    const response = await this.transport.request(
+      `${this.config.baseUrl}/v2/2fa/verify-login`,
+      {
+        method: "POST",
+        credentials: "include",
+        body: {
+          challengeId: options.challengeId,
+          code: options.code
+        }
+      }
+    );
+    const tokens = normalizeTokenSet(response.data, this.now);
+    return this.createSession(tokens);
+  }
+  async loginWithCodeSent(options) {
+    return this.startLoginCodeChallenge(options);
+  }
+  async completeLoginWithCode(options) {
+    return this.verifyLoginCode(options);
+  }
+  async loginWithGoogle(options) {
+    if (!(options == null ? void 0 : options.idToken)) {
+      throw new AuthError(
+        "INVALID_CONFIG" /* INVALID_CONFIG */,
+        "idToken is required for loginWithGoogle"
+      );
+    }
+    const response = await this.transport.request(
+      `${this.config.baseUrl}/v2/google`,
+      {
+        method: "POST",
+        credentials: "include",
+        body: {
+          idToken: options.idToken
+        }
+      }
+    );
+    const tokens = normalizeTokenSet(response.data, this.now);
+    return this.createSession(tokens);
+  }
+  async loginWithPassword(options) {
+    if (!(options == null ? void 0 : options.email) || !(options == null ? void 0 : options.password)) {
+      throw new AuthError(
+        "INVALID_CONFIG" /* INVALID_CONFIG */,
+        "email and password are required for loginWithPassword"
+      );
+    }
+    const response = await this.transport.request(
+      `${this.config.baseUrl}/v2/login`,
+      {
+        method: "POST",
+        credentials: "include",
+        body: {
+          email: options.email,
+          password: options.password
+        }
+      }
+    );
+    const tokens = normalizeTokenSet(response.data, this.now);
+    return this.createSession(tokens);
+  }
   async exchangeCode(code) {
     const verifier = await safeGet(this.storage, STORAGE_KEYS.codeVerifier);
     if (!verifier) {
@@ -438,6 +556,7 @@ var DefaultAuthClient = class {
       }
     );
     const tokens = normalizeTokenSet(response.data, this.now);
+    await safeRemove(this.storage, STORAGE_KEYS.state);
     await safeRemove(this.storage, STORAGE_KEYS.codeVerifier);
     return this.createSession(tokens);
   }
@@ -501,23 +620,48 @@ var DefaultAuthClient = class {
 };
 
 // src/client/create-client.ts
-function createAuthClient(config) {
-  if (!(config == null ? void 0 : config.clientId)) {
+var DEFAULT_AUTH_BASE_URL = "https://ms-auth-v2.nuria.com.br";
+var DEFAULT_AUTHORIZATION_PATH = "/v2/oauth/authorize";
+var DEFAULT_TOKEN_PATH = "/v2/oauth/token";
+var DEFAULT_SCOPE = "openid profile email";
+function normalizeBaseUrl(value) {
+  const raw = String(value != null ? value : DEFAULT_AUTH_BASE_URL).trim();
+  if (!raw) {
     throw new AuthError(
       "INVALID_CONFIG" /* INVALID_CONFIG */,
-      "config.clientId is required"
+      "config.baseUrl must be a valid absolute URL"
     );
   }
-  if (!config.authorizationEndpoint) {
+  let parsed;
+  try {
+    parsed = new URL(raw);
+  } catch (e) {
     throw new AuthError(
       "INVALID_CONFIG" /* INVALID_CONFIG */,
-      "config.authorizationEndpoint is required"
+      "config.baseUrl must be a valid absolute URL"
     );
   }
-  if (!config.tokenEndpoint) {
+  return parsed.toString().replace(/\/+$/, "");
+}
+function resolveEndpoint(baseUrl, explicit, fallbackPath) {
+  if (explicit) {
+    try {
+      return new URL(explicit).toString();
+    } catch (e) {
+      throw new AuthError(
+        "INVALID_CONFIG" /* INVALID_CONFIG */,
+        "OAuth endpoints must be valid absolute URLs"
+      );
+    }
+  }
+  return new URL(fallbackPath, `${baseUrl}/`).toString();
+}
+function createAuthClient(config) {
+  var _a, _b;
+  if (!(config == null ? void 0 : config.clientId)) {
     throw new AuthError(
       "INVALID_CONFIG" /* INVALID_CONFIG */,
-      "config.tokenEndpoint is required"
+      "config.clientId is required"
     );
   }
   if (!config.redirectUri) {
@@ -526,7 +670,24 @@ function createAuthClient(config) {
       "config.redirectUri is required"
     );
   }
-  return new DefaultAuthClient(config);
+  const baseUrl = normalizeBaseUrl(config.baseUrl);
+  const resolvedConfig = {
+    ...config,
+    baseUrl,
+    scope: String((_a = config.scope) != null ? _a : "").trim() || DEFAULT_SCOPE,
+    enableRefreshToken: (_b = config.enableRefreshToken) != null ? _b : true,
+    authorizationEndpoint: resolveEndpoint(
+      baseUrl,
+      config.authorizationEndpoint,
+      DEFAULT_AUTHORIZATION_PATH
+    ),
+    tokenEndpoint: resolveEndpoint(
+      baseUrl,
+      config.tokenEndpoint,
+      DEFAULT_TOKEN_PATH
+    )
+  };
+  return new DefaultAuthClient(resolvedConfig);
 }
 
 // src/storage/web-storage-adapter.ts
@@ -565,8 +726,18 @@ var CookieStorageAdapter = class {
 var getCookieValue = (name) => {
   var _a;
   if (typeof document === "undefined") return null;
-  const result = document.cookie.match(`(^|;)\\s*${name}\\s*=\\s*([^;]+)`);
-  return result ? (_a = result.pop()) != null ? _a : null : null;
+  const escapedName = name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  const result = document.cookie.match(
+    `(^|;)\\s*${escapedName}\\s*=\\s*([^;]+)`
+  );
+  if (!result) return null;
+  const raw = (_a = result.pop()) != null ? _a : null;
+  if (raw == null) return null;
+  try {
+    return decodeURIComponent(raw);
+  } catch (e) {
+    return raw;
+  }
 };
 function createBrowserCookieStorage(options = {}) {
   const { domain, path = "/", sameSite = "strict", secure = true } = options;
@@ -575,7 +746,7 @@ function createBrowserCookieStorage(options = {}) {
   };
   const set = (key, value) => {
     if (typeof document === "undefined") return;
-    let cookie = `${key}=${value}`;
+    let cookie = `${key}=${encodeURIComponent(value)}`;
     if (path) cookie += `; path=${path}`;
     if (domain) cookie += `; domain=${domain}`;
     if (sameSite) cookie += `; samesite=${sameSite}`;