@onairos/react-native 3.0.75 → 3.1.1

package/src/services/apiKeyService.ts

@@ -1,4 +1,5 @@
 import type { OnairosConfig, ApiKeyValidationResult } from '../types';
+import AsyncStorage from '@react-native-async-storage/async-storage';
 
 // Admin key for backend validation
 export const ADMIN_API_KEY = 'OnairosIsAUnicorn2025';
@@ -10,30 +11,33 @@ export enum ApiKeyType {
   INVALID = 'invalid'
 }
 
+// JWT token storage key
+const JWT_TOKEN_KEY = 'onairos_jwt_token';
+
 /**
- * API Key Service for Onairos React Native SDK
+ * Two-Tier Authentication Service for Onairos React Native SDK
  * 
- * This service handles API key validation, management, and authentication
- * following standard SDK patterns for secure API key handling.
+ * This service implements the two-tier authentication system:
+ * 1. Developer API Keys: For app-level operations (email verification, app registration)
+ * 2. JWT User Tokens: For user-level operations (PIN storage, user profile)
  * 
  * How it works:
- * 1. Initialize with API key and configuration
- * 2. Validate API key with the Onairos backend
- * 3. Cache validation results for performance
- * 4. Include API key in all authenticated requests
- * 5. Handle API key errors gracefully with developer-friendly messages
+ * 1. Initialize with developer API key
+ * 2. Use API key for email verification requests
+ * 3. Store JWT token from email verification response
+ * 4. Use JWT token for user-authenticated requests
+ * 5. Handle token expiration gracefully
  * 
  * Backend Integration:
- * - All API requests include: Authorization: Bearer {apiKey}
- * - Backend should validate API keys on each request
- * - Admin key "OnairosIsAUnicorn2025" has full permissions
- * - Developer keys have limited permissions based on validation response
+ * - Developer routes: Authorization: Bearer ${API_KEY}
+ * - User routes: Authorization: Bearer ${JWT_TOKEN}
  */
 
 // Global configuration state
 let globalConfig: OnairosConfig | null = null;
 let validationCache: Map<string, { result: ApiKeyValidationResult; timestamp: number }> = new Map();
 let isInitialized = false;
+let userToken: string | null = null;
 
 // Cache duration (5 minutes)
 const CACHE_DURATION = 5 * 60 * 1000;
@@ -46,15 +50,15 @@ const API_ENDPOINTS = {
 };
 
 /**
- * Initialize the SDK with API key and configuration
- * @param config API configuration including API key
+ * Initialize the SDK with developer API key
+ * @param config API configuration including developer API key
  */
 export const initializeApiKey = async (config: OnairosConfig): Promise<void> => {
   try {
-    console.log('🔑 Initializing Onairos SDK with API key...');
+    console.log('🔑 Initializing Onairos SDK with developer API key...');
     
     if (!config.apiKey) {
-      throw new Error('API key is required for SDK initialization');
+      throw new Error('Developer API key is required for SDK initialization');
     }
 
     if (config.apiKey.length < 32) {
@@ -80,17 +84,24 @@ export const initializeApiKey = async (config: OnairosConfig): Promise<void> =>
       });
     }
 
-    // Validate the API key
+    // Validate the developer API key
     const validation = await validateApiKey(config.apiKey);
     
     if (!validation.isValid) {
-      throw new Error(`API key validation failed: ${validation.error}`);
+      throw new Error(`Developer API key validation failed: ${validation.error}`);
     }
 
+    // Try to load existing JWT token
+    await loadJWT();
+
     isInitialized = true;
     
     if (globalConfig.enableLogging) {
       console.log('✅ Onairos SDK initialized successfully');
+      console.log('🔑 Developer API key ready for app-level operations');
+      if (userToken) {
+        console.log('🎫 User JWT token loaded from storage');
+      }
       if (validation.permissions) {
         console.log('🔐 API Key Permissions:', validation.permissions);
       }
@@ -284,6 +295,201 @@ export const isApiKeyInitialized = (): boolean => {
   return isInitialized && globalConfig !== null;
 };
 
+/**
+ * Store JWT token securely after email verification
+ * @param token JWT token from email verification response
+ */
+export const storeJWT = async (token: string): Promise<void> => {
+  try {
+    await AsyncStorage.setItem(JWT_TOKEN_KEY, token);
+    userToken = token;
+    
+    if (globalConfig?.enableLogging) {
+      console.log('🎫 JWT token stored successfully');
+    }
+  } catch (error) {
+    console.error('❌ Failed to store JWT token:', error);
+    throw error;
+  }
+};
+
+/**
+ * Load JWT token from storage
+ * @returns JWT token or null if not found
+ */
+export const loadJWT = async (): Promise<string | null> => {
+  try {
+    const token = await AsyncStorage.getItem(JWT_TOKEN_KEY);
+    userToken = token;
+    return token;
+  } catch (error) {
+    console.error('❌ Failed to load JWT token:', error);
+    return null;
+  }
+};
+
+/**
+ * Get current JWT token
+ * @returns JWT token or null if not available
+ */
+export const getJWT = (): string | null => {
+  return userToken;
+};
+
+/**
+ * Clear JWT token (on logout or token expiration)
+ */
+export const clearJWT = async (): Promise<void> => {
+  try {
+    await AsyncStorage.removeItem(JWT_TOKEN_KEY);
+    userToken = null;
+    
+    if (globalConfig?.enableLogging) {
+      console.log('🗑️ JWT token cleared');
+    }
+  } catch (error) {
+    console.error('❌ Failed to clear JWT token:', error);
+  }
+};
+
+/**
+ * React Native compatible base64 decoder
+ * @param str Base64 encoded string
+ * @returns Decoded string
+ */
+const base64Decode = (str: string): string => {
+  // Simple base64 decoding for React Native
+  const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
+  let result = '';
+  let i = 0;
+  
+  str = str.replace(/[^A-Za-z0-9+/]/g, '');
+  
+  while (i < str.length) {
+    const a = chars.indexOf(str.charAt(i++));
+    const b = chars.indexOf(str.charAt(i++));
+    const c = chars.indexOf(str.charAt(i++));
+    const d = chars.indexOf(str.charAt(i++));
+    
+    const bitmap = (a << 18) | (b << 12) | (c << 6) | d;
+    
+    result += String.fromCharCode((bitmap >> 16) & 255);
+    if (c !== 64) result += String.fromCharCode((bitmap >> 8) & 255);
+    if (d !== 64) result += String.fromCharCode(bitmap & 255);
+  }
+  
+  return result;
+};
+
+/**
+ * Decode JWT token payload (React Native compatible)
+ * @param token JWT token string
+ * @returns Decoded payload or null if invalid
+ */
+export const decodeJWTPayload = (token: string): any => {
+  try {
+    // Split JWT token (header.payload.signature)
+    const parts = token.split('.');
+    if (parts.length !== 3) {
+      console.error('❌ Invalid JWT token format');
+      return null;
+    }
+
+    // Decode payload (base64url to base64)
+    const payload = parts[1];
+    const base64 = payload.replace(/-/g, '+').replace(/_/g, '/');
+    
+    // Add padding if needed
+    const padded = base64.padEnd(Math.ceil(base64.length / 4) * 4, '=');
+    
+    // Decode base64 to JSON using React Native compatible decoder
+    const decoded = base64Decode(padded);
+    return JSON.parse(decoded);
+  } catch (error) {
+    console.error('❌ Failed to decode JWT token:', error);
+    return null;
+  }
+};
+
+/**
+ * Extract username from JWT token
+ * @param token JWT token (optional, uses stored token if not provided)
+ * @returns Username or null if not found
+ */
+export const extractUsernameFromJWT = (token?: string): string | null => {
+  try {
+    const jwtToken = token || userToken;
+    if (!jwtToken) {
+      console.warn('⚠️ No JWT token available for username extraction');
+      return null;
+    }
+
+    const payload = decodeJWTPayload(jwtToken);
+    if (!payload) {
+      return null;
+    }
+
+    // Try different possible username fields in order of preference
+    const username = payload.userName || payload.username || payload.userId || payload.email;
+    
+    if (globalConfig?.enableLogging) {
+      console.log('👤 Extracted username from JWT:', username);
+    }
+
+    return username || null;
+  } catch (error) {
+    console.error('❌ Failed to extract username from JWT:', error);
+    return null;
+  }
+};
+
+/**
+ * Extract user data from JWT token
+ * @param token JWT token (optional, uses stored token if not provided)
+ * @returns User data object or null if not found
+ */
+export const extractUserDataFromJWT = (token?: string): any => {
+  try {
+    const jwtToken = token || userToken;
+    if (!jwtToken) {
+      console.warn('⚠️ No JWT token available for user data extraction');
+      return null;
+    }
+
+    const payload = decodeJWTPayload(jwtToken);
+    if (!payload) {
+      return null;
+    }
+
+    const userData = {
+      id: payload.id,
+      email: payload.email,
+      userId: payload.userId,
+      userName: payload.userName || payload.username,
+      verified: payload.verified,
+      iat: payload.iat,
+      exp: payload.exp
+    };
+
+    if (globalConfig?.enableLogging) {
+      console.log('👤 Extracted user data from JWT:', userData);
+    }
+
+    return userData;
+  } catch (error) {
+    console.error('❌ Failed to extract user data from JWT:', error);
+    return null;
+  }
+};
+
+/**
+ * Check if user is authenticated with JWT token
+ * @returns True if user has valid JWT token
+ */
+export const isUserAuthenticated = (): boolean => {
+  return !!userToken;
+};
+
 /**
  * Get authenticated headers for API requests
  * @returns Headers object with Authorization and other required headers
@@ -306,6 +512,46 @@ export const getAuthHeaders = (): Record<string, string> => {
   };
 };
 
+/**
+ * Get authentication headers for developer API requests
+ * @returns Headers with developer API key
+ */
+export const getDeveloperAuthHeaders = (): Record<string, string> => {
+  if (!globalConfig?.apiKey) {
+    throw new Error('SDK not initialized. Call initializeApiKey() first.');
+  }
+
+  const keyType = getApiKeyType(globalConfig.apiKey);
+  
+  return {
+    'Content-Type': 'application/json',
+    'Authorization': `Bearer ${globalConfig.apiKey}`,
+    'User-Agent': 'OnairosSDK/1.0.0',
+    'X-SDK-Version': '3.0.72',
+    'X-SDK-Environment': globalConfig.environment || 'production',
+    'X-API-Key-Type': keyType,
+    'X-Timestamp': new Date().toISOString(),
+  };
+};
+
+/**
+ * Get authentication headers for user JWT requests
+ * @returns Headers with user JWT token
+ */
+export const getUserAuthHeaders = (): Record<string, string> => {
+  if (!userToken) {
+    throw new Error('User not authenticated. Please verify email first.');
+  }
+
+  return {
+    'Content-Type': 'application/json',
+    'Authorization': `Bearer ${userToken}`,
+    'User-Agent': 'OnairosSDK/1.0.0',
+    'X-SDK-Version': '3.0.72',
+    'X-SDK-Environment': globalConfig?.environment || 'production',
+  };
+};
+
 /**
  * Make an authenticated API request
  * @param endpoint The API endpoint (relative to base URL)
@@ -380,6 +626,154 @@ export const makeAuthenticatedRequest = async (
   }
 };
 
+/**
+ * Make authenticated request with developer API key
+ * @param endpoint The API endpoint
+ * @param options Fetch options
+ * @returns Response promise
+ */
+export const makeDeveloperRequest = async (
+  endpoint: string,
+  options: RequestInit = {}
+): Promise<Response> => {
+  if (!isApiKeyInitialized()) {
+    throw new Error('SDK not initialized. Call initializeApiKey() first.');
+  }
+
+  const config = getApiConfig()!;
+  const baseUrl = API_ENDPOINTS[config.environment || 'production'];
+  const url = `${baseUrl}${endpoint.startsWith('/') ? '' : '/'}${endpoint}`;
+
+  // Merge developer authentication headers
+  const headers = {
+    ...getDeveloperAuthHeaders(),
+    ...(options.headers || {}),
+  };
+
+  // Add timeout
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), config.timeout || 30000);
+
+  try {
+    if (config.enableLogging) {
+      console.log(`🌐 Making developer request to: ${endpoint}`);
+    }
+
+    const response = await fetch(url, {
+      ...options,
+      headers,
+      signal: controller.signal,
+    });
+
+    clearTimeout(timeoutId);
+
+    if (config.enableLogging) {
+      console.log(`📡 Developer request response: ${response.status} for ${endpoint}`);
+    }
+
+    // Handle API key errors
+    if (response.status === 401) {
+      console.error('❌ Developer API key authentication failed');
+      throw new Error('Invalid or expired API key');
+    }
+
+    if (response.status === 403) {
+      console.error('❌ Developer API key permissions insufficient');
+      throw new Error('Insufficient API key permissions');
+    }
+
+    if (response.status === 429) {
+      console.error('❌ API rate limit exceeded');
+      throw new Error('Rate limit exceeded');
+    }
+
+    return response;
+  } catch (error) {
+    clearTimeout(timeoutId);
+    
+    if (error.name === 'AbortError') {
+      console.error('⏱️ Request timeout for:', endpoint);
+      throw new Error('Request timeout');
+    }
+    
+    throw error;
+  }
+};
+
+/**
+ * Make authenticated request with user JWT token
+ * @param endpoint The API endpoint
+ * @param options Fetch options
+ * @returns Response promise
+ */
+export const makeUserRequest = async (
+  endpoint: string,
+  options: RequestInit = {}
+): Promise<Response> => {
+  if (!isUserAuthenticated()) {
+    await loadJWT(); // Try to load from storage
+  }
+
+  if (!isUserAuthenticated()) {
+    throw new Error('User not authenticated. Please verify email first.');
+  }
+
+  const config = getApiConfig() || { environment: 'production', timeout: 30000, enableLogging: false };
+  const baseUrl = API_ENDPOINTS[config.environment || 'production'];
+  const url = `${baseUrl}${endpoint.startsWith('/') ? '' : '/'}${endpoint}`;
+
+  // Merge user authentication headers
+  const headers = {
+    ...getUserAuthHeaders(),
+    ...(options.headers || {}),
+  };
+
+  // Add timeout
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), config.timeout || 30000);
+
+  try {
+    if (config.enableLogging) {
+      console.log(`🌐 Making user request to: ${endpoint}`);
+    }
+
+    const response = await fetch(url, {
+      ...options,
+      headers,
+      signal: controller.signal,
+    });
+
+    clearTimeout(timeoutId);
+
+    if (config.enableLogging) {
+      console.log(`📡 User request response: ${response.status} for ${endpoint}`);
+    }
+
+    // Handle JWT token errors
+    if (response.status === 401) {
+      console.error('❌ JWT token authentication failed - token may be expired');
+      await clearJWT(); // Clear expired token
+      throw new Error('Authentication expired. Please verify email again.');
+    }
+
+    if (response.status === 403) {
+      console.error('❌ JWT token permissions insufficient');
+      throw new Error('Insufficient permissions for this operation');
+    }
+
+    return response;
+  } catch (error) {
+    clearTimeout(timeoutId);
+    
+    if (error.name === 'AbortError') {
+      console.error('⏱️ Request timeout for:', endpoint);
+      throw new Error('Request timeout');
+    }
+    
+    throw error;
+  }
+};
+
 /**
  * Clear the API key validation cache
  */