@oneaccount/express 0.1.0

package/README.md

@@ -0,0 +1,107 @@
+# @oneaccount/express
+
+Express.js SDK for OneAccount - Authentication, entitlements, and Stripe Connect integration.
+
+## Installation
+
+```bash
+npm install @oneaccount/express
+```
+
+## Quick Start
+
+```javascript
+import express from 'express';
+import { oneAccount } from '@oneaccount/express';
+
+const app = express();
+app.use(express.json());
+
+// Initialize SDK
+const oa = oneAccount({
+  apiKey: process.env.ONEACCOUNT_API_KEY,
+  accountProUrl: 'https://myaccount.one', // optional
+  debug: true, // optional - logs auth errors
+});
+
+// Add auth middleware to all routes
+app.use(oa.middleware);
+
+// Mount Stripe Connect routes
+oa.mountRoutes(app, '/api/connect');
+
+// Protected route - requires authentication
+app.get('/api/profile', oa.requireAuth, (req, res) => {
+  res.json({ user: req.oneAccount.user });
+});
+
+// Protected route - requires specific entitlement
+app.get('/api/classes', oa.requireEntitlement('classy'), (req, res) => {
+  res.json({ message: 'Welcome to Classy!' });
+});
+
+// Admin-only route
+app.get('/api/admin', oa.requireSuperAdmin, (req, res) => {
+  res.json({ message: 'Admin access granted' });
+});
+
+app.listen(3000);
+```
+
+## Configuration
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `apiKey` | string | required | Your OneAccount API key |
+| `accountProUrl` | string | `https://myaccount.one` | OneAccount server URL |
+| `jwksUrl` | string | auto | JWKS endpoint URL (auto-derived from accountProUrl) |
+| `debug` | boolean | `false` | Log authentication errors |
+
+## Middleware
+
+### `oa.middleware`
+
+Parses JWT from `Authorization: Bearer <token>` header and populates `req.oneAccount.user`.
+
+### `oa.requireAuth`
+
+Returns 401 if no authenticated user.
+
+### `oa.requireEntitlement(entitlement)`
+
+Returns 403 if user doesn't have the specified entitlement (`sweetcart` or `classy`).
+
+### `oa.requireSuperAdmin`
+
+Returns 403 if user is not a super admin.
+
+## Stripe Connect Routes
+
+When you call `oa.mountRoutes(app, '/api/connect')`, the following routes are available:
+
+| Method | Path | Description |
+|--------|------|-------------|
+| GET | `/api/connect/account` | Get Stripe Connect status |
+| POST | `/api/connect/account` | Create Stripe Express account |
+| POST | `/api/connect/onboarding-link` | Get Stripe onboarding URL |
+| POST | `/api/connect/dashboard-link` | Get Stripe Express dashboard URL |
+| GET | `/api/connect/transactions` | List transactions |
+| GET | `/api/connect/balance` | Get account balance |
+| POST | `/api/connect/payment` | Create marketplace payment |
+| POST | `/api/connect/refund` | Refund a payment |
+
+## TypeScript
+
+The SDK is fully typed. Import types as needed:
+
+```typescript
+import type { 
+  OneAccountRequest, 
+  OneAccountUser, 
+  Entitlements 
+} from '@oneaccount/express';
+```
+
+## License
+
+MIT

package/dist/client/accountPro.d.ts

@@ -0,0 +1,43 @@
+import type { OneAccountConfig, StripeConnectStatus, StripeTransaction, StripeBalance } from "../types";
+export declare class AccountProClient {
+    private baseUrl;
+    private apiKey;
+    private debug;
+    constructor(config: OneAccountConfig);
+    private log;
+    private request;
+    getConnectStatus(token: string): Promise<StripeConnectStatus>;
+    createConnectAccount(token: string): Promise<StripeConnectStatus>;
+    getOnboardingLink(token: string, returnUrl: string, refreshUrl: string): Promise<{
+        url: string;
+        expiresAt: number;
+    }>;
+    getDashboardLink(token: string): Promise<{
+        url: string;
+    }>;
+    getTransactions(token: string, options?: {
+        limit?: number;
+        starting_after?: string;
+    }): Promise<{
+        transactions: StripeTransaction[];
+        has_more: boolean;
+    }>;
+    getBalance(token: string): Promise<StripeBalance>;
+    createPayment(token: string, data: {
+        amount: number;
+        currency?: string;
+        description?: string;
+        customer?: string;
+    }): Promise<{
+        paymentIntentId: string;
+        clientSecret: string;
+    }>;
+    refundPayment(token: string, data: {
+        paymentIntentId: string;
+        amount?: number;
+        reason?: string;
+    }): Promise<{
+        refundId: string;
+        status: string;
+    }>;
+}

package/dist/client/accountPro.js

@@ -0,0 +1,86 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AccountProClient = void 0;
+class AccountProClient {
+    constructor(config) {
+        this.baseUrl = config.accountProUrl || "https://myaccount.one";
+        this.apiKey = config.apiKey;
+        this.debug = config.debug || false;
+    }
+    log(message, data) {
+        if (this.debug) {
+            console.log(`[OneAccount] ${message}`, data || "");
+        }
+    }
+    async request(path, options = {}) {
+        const { token, ...fetchOptions } = options;
+        const headers = {
+            "Content-Type": "application/json",
+            "X-API-Key": this.apiKey,
+            ...options.headers,
+        };
+        if (token) {
+            headers["Authorization"] = `Bearer ${token}`;
+        }
+        const url = `${this.baseUrl}${path}`;
+        this.log(`${options.method || "GET"} ${path}`);
+        const response = await fetch(url, {
+            ...fetchOptions,
+            headers,
+        });
+        if (!response.ok) {
+            const errorData = await response.json().catch(() => ({}));
+            throw new Error(errorData.error || `Request failed: ${response.status}`);
+        }
+        return response.json();
+    }
+    async getConnectStatus(token) {
+        return this.request("/api/connect/account", { token });
+    }
+    async createConnectAccount(token) {
+        return this.request("/api/connect/account", {
+            method: "POST",
+            token,
+        });
+    }
+    async getOnboardingLink(token, returnUrl, refreshUrl) {
+        return this.request("/api/connect/onboarding-link", {
+            method: "POST",
+            token,
+            body: JSON.stringify({ return_url: returnUrl, refresh_url: refreshUrl }),
+        });
+    }
+    async getDashboardLink(token) {
+        return this.request("/api/connect/dashboard-link", {
+            method: "POST",
+            token,
+        });
+    }
+    async getTransactions(token, options) {
+        const params = new URLSearchParams();
+        if (options?.limit)
+            params.set("limit", String(options.limit));
+        if (options?.starting_after)
+            params.set("starting_after", options.starting_after);
+        const query = params.toString() ? `?${params.toString()}` : "";
+        return this.request(`/api/connect/transactions${query}`, { token });
+    }
+    async getBalance(token) {
+        return this.request("/api/connect/balance", { token });
+    }
+    async createPayment(token, data) {
+        return this.request("/api/connect/payment", {
+            method: "POST",
+            token,
+            body: JSON.stringify(data),
+        });
+    }
+    async refundPayment(token, data) {
+        return this.request("/api/connect/refund", {
+            method: "POST",
+            token,
+            body: JSON.stringify(data),
+        });
+    }
+}
+exports.AccountProClient = AccountProClient;

package/dist/index.d.ts

@@ -0,0 +1,17 @@
+import type { Express } from "express";
+import { createAuthMiddleware, requireAuth, requireEntitlement, requireSuperAdmin } from "./middleware/auth";
+import { AccountProClient } from "./client/accountPro";
+import type { OneAccountConfig } from "./types";
+export interface OneAccountSDK {
+    middleware: ReturnType<typeof createAuthMiddleware>;
+    requireAuth: typeof requireAuth;
+    requireEntitlement: typeof requireEntitlement;
+    requireSuperAdmin: typeof requireSuperAdmin;
+    client: AccountProClient;
+    mountRoutes: (app: Express, basePath?: string) => void;
+}
+export declare function oneAccount(config: OneAccountConfig): OneAccountSDK;
+export { createAuthMiddleware, requireAuth, requireEntitlement, requireSuperAdmin, } from "./middleware/auth";
+export { createStripeConnectRoutes } from "./routes/stripeConnect";
+export { AccountProClient } from "./client/accountPro";
+export type { OneAccountConfig, OneAccountRequest, OneAccountUser, Entitlements, } from "./types";

package/dist/index.js

@@ -0,0 +1,37 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AccountProClient = exports.createStripeConnectRoutes = exports.requireSuperAdmin = exports.requireEntitlement = exports.requireAuth = exports.createAuthMiddleware = void 0;
+exports.oneAccount = oneAccount;
+const auth_1 = require("./middleware/auth");
+const stripeConnect_1 = require("./routes/stripeConnect");
+const accountPro_1 = require("./client/accountPro");
+function oneAccount(config) {
+    if (!config.apiKey) {
+        throw new Error("OneAccount SDK requires an API key");
+    }
+    const resolvedConfig = {
+        accountProUrl: config.accountProUrl || "https://myaccount.one",
+        ...config,
+    };
+    const authMiddleware = (0, auth_1.createAuthMiddleware)(resolvedConfig);
+    const client = new accountPro_1.AccountProClient(resolvedConfig);
+    return {
+        middleware: authMiddleware,
+        requireAuth: auth_1.requireAuth,
+        requireEntitlement: auth_1.requireEntitlement,
+        requireSuperAdmin: auth_1.requireSuperAdmin,
+        client,
+        mountRoutes: (app, basePath = "/api/connect") => {
+            app.use(basePath, (0, stripeConnect_1.createStripeConnectRoutes)(resolvedConfig));
+        },
+    };
+}
+var auth_2 = require("./middleware/auth");
+Object.defineProperty(exports, "createAuthMiddleware", { enumerable: true, get: function () { return auth_2.createAuthMiddleware; } });
+Object.defineProperty(exports, "requireAuth", { enumerable: true, get: function () { return auth_2.requireAuth; } });
+Object.defineProperty(exports, "requireEntitlement", { enumerable: true, get: function () { return auth_2.requireEntitlement; } });
+Object.defineProperty(exports, "requireSuperAdmin", { enumerable: true, get: function () { return auth_2.requireSuperAdmin; } });
+var stripeConnect_2 = require("./routes/stripeConnect");
+Object.defineProperty(exports, "createStripeConnectRoutes", { enumerable: true, get: function () { return stripeConnect_2.createStripeConnectRoutes; } });
+var accountPro_2 = require("./client/accountPro");
+Object.defineProperty(exports, "AccountProClient", { enumerable: true, get: function () { return accountPro_2.AccountProClient; } });

package/dist/middleware/auth.d.ts

@@ -0,0 +1,6 @@
+import type { Response, NextFunction } from "express";
+import type { OneAccountConfig, OneAccountRequest } from "../types";
+export declare function createAuthMiddleware(config: OneAccountConfig): (req: OneAccountRequest, res: Response, next: NextFunction) => Promise<void>;
+export declare function requireAuth(req: OneAccountRequest, res: Response, next: NextFunction): Response<any, Record<string, any>> | undefined;
+export declare function requireEntitlement(entitlement: "sweetcart" | "classy"): (req: OneAccountRequest, res: Response, next: NextFunction) => Response<any, Record<string, any>> | undefined;
+export declare function requireSuperAdmin(req: OneAccountRequest, res: Response, next: NextFunction): Response<any, Record<string, any>> | undefined;

package/dist/middleware/auth.js

@@ -0,0 +1,143 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuthMiddleware = createAuthMiddleware;
+exports.requireAuth = requireAuth;
+exports.requireEntitlement = requireEntitlement;
+exports.requireSuperAdmin = requireSuperAdmin;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+let cachedJWKS = null;
+let jwksCacheExpiry = 0;
+async function fetchJWKS(jwksUrl) {
+    const now = Date.now();
+    if (cachedJWKS && now < jwksCacheExpiry) {
+        return cachedJWKS;
+    }
+    const response = await fetch(jwksUrl);
+    if (!response.ok) {
+        throw new Error(`Failed to fetch JWKS: ${response.status}`);
+    }
+    cachedJWKS = await response.json();
+    jwksCacheExpiry = now + 3600000;
+    return cachedJWKS;
+}
+function rsaPublicKeyFromJWK(jwk) {
+    const n = Buffer.from(jwk.n, "base64url");
+    const e = Buffer.from(jwk.e, "base64url");
+    const nLen = n.length;
+    const eLen = e.length;
+    const nLenBytes = nLen < 128
+        ? [nLen]
+        : nLen < 256
+            ? [0x81, nLen]
+            : [0x82, (nLen >> 8) & 0xff, nLen & 0xff];
+    const eLenBytes = eLen < 128
+        ? [eLen]
+        : eLen < 256
+            ? [0x81, eLen]
+            : [0x82, (eLen >> 8) & 0xff, eLen & 0xff];
+    const nSequence = [0x02, ...nLenBytes, ...n];
+    const eSequence = [0x02, ...eLenBytes, ...e];
+    const innerSequence = [...nSequence, ...eSequence];
+    const innerLen = innerSequence.length;
+    const innerLenBytes = innerLen < 128
+        ? [innerLen]
+        : innerLen < 256
+            ? [0x81, innerLen]
+            : [0x82, (innerLen >> 8) & 0xff, innerLen & 0xff];
+    const bitString = [0x30, ...innerLenBytes, ...innerSequence];
+    const bitStringWithHeader = [
+        0x03,
+        bitString.length + 1,
+        0x00,
+        ...bitString,
+    ];
+    const rsaOID = [
+        0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+        0x01, 0x05, 0x00,
+    ];
+    const fullSequence = [...rsaOID, ...bitStringWithHeader];
+    const fullLen = fullSequence.length;
+    const fullLenBytes = fullLen < 128
+        ? [fullLen]
+        : fullLen < 256
+            ? [0x81, fullLen]
+            : [0x82, (fullLen >> 8) & 0xff, fullLen & 0xff];
+    const der = Buffer.from([0x30, ...fullLenBytes, ...fullSequence]);
+    const pem = `-----BEGIN PUBLIC KEY-----\n${der.toString("base64").match(/.{1,64}/g)?.join("\n")}\n-----END PUBLIC KEY-----`;
+    return pem;
+}
+function createAuthMiddleware(config) {
+    const jwksUrl = config.jwksUrl ||
+        `${config.accountProUrl || "https://myaccount.one"}/.well-known/jwks.json`;
+    return async function authMiddleware(req, res, next) {
+        req.oneAccount = { user: null };
+        const authHeader = req.headers.authorization;
+        if (!authHeader?.startsWith("Bearer ")) {
+            return next();
+        }
+        const token = authHeader.substring(7);
+        try {
+            const decoded = jsonwebtoken_1.default.decode(token, { complete: true });
+            if (!decoded) {
+                return next();
+            }
+            const jwks = await fetchJWKS(jwksUrl);
+            const key = decoded.header.kid
+                ? jwks.keys.find((k) => k.kid === decoded.header.kid)
+                : jwks.keys[0];
+            if (!key) {
+                if (config.debug) {
+                    console.error("[OneAccount] No matching key found in JWKS");
+                }
+                return next();
+            }
+            const publicKey = rsaPublicKeyFromJWK(key);
+            const payload = jsonwebtoken_1.default.verify(token, publicKey, {
+                algorithms: ["RS256"],
+            });
+            req.oneAccount = {
+                user: {
+                    personId: payload.personId || payload.sub || "",
+                    email: payload.email,
+                    role: payload.role,
+                    entitlements: payload.entitlements,
+                },
+            };
+        }
+        catch (err) {
+            if (config.debug) {
+                console.error("[OneAccount] JWT verification failed:", err);
+            }
+        }
+        next();
+    };
+}
+function requireAuth(req, res, next) {
+    if (!req.oneAccount?.user) {
+        return res.status(401).json({ error: "Authentication required" });
+    }
+    next();
+}
+function requireEntitlement(entitlement) {
+    return function (req, res, next) {
+        if (!req.oneAccount?.user) {
+            return res.status(401).json({ error: "Authentication required" });
+        }
+        if (!req.oneAccount.user.entitlements?.[entitlement]) {
+            return res.status(403).json({ error: `${entitlement} subscription required` });
+        }
+        next();
+    };
+}
+function requireSuperAdmin(req, res, next) {
+    if (!req.oneAccount?.user) {
+        return res.status(401).json({ error: "Authentication required" });
+    }
+    if (req.oneAccount.user.role !== "super_admin") {
+        return res.status(403).json({ error: "Admin access required" });
+    }
+    next();
+}

package/dist/routes/stripeConnect.d.ts

@@ -0,0 +1,3 @@
+import type { Router } from "express";
+import type { OneAccountConfig } from "../types";
+export declare function createStripeConnectRoutes(config: OneAccountConfig): Router;

package/dist/routes/stripeConnect.js

@@ -0,0 +1,101 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createStripeConnectRoutes = createStripeConnectRoutes;
+const express_1 = require("express");
+const accountPro_1 = require("../client/accountPro");
+const auth_1 = require("../middleware/auth");
+function createStripeConnectRoutes(config) {
+    const router = (0, express_1.Router)();
+    const client = new accountPro_1.AccountProClient(config);
+    function getToken(req) {
+        const authHeader = req.headers.authorization;
+        return authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
+    }
+    router.get("/account", auth_1.requireAuth, async (req, res) => {
+        try {
+            const status = await client.getConnectStatus(getToken(req));
+            res.json(status);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Failed to get account status";
+            res.status(400).json({ error: message });
+        }
+    });
+    router.post("/account", auth_1.requireAuth, async (req, res) => {
+        try {
+            const status = await client.createConnectAccount(getToken(req));
+            res.json(status);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Failed to create account";
+            res.status(400).json({ error: message });
+        }
+    });
+    router.post("/onboarding-link", auth_1.requireAuth, async (req, res) => {
+        try {
+            const { return_url, refresh_url } = req.body;
+            if (!return_url || !refresh_url) {
+                return res.status(400).json({ error: "return_url and refresh_url are required" });
+            }
+            const result = await client.getOnboardingLink(getToken(req), return_url, refresh_url);
+            res.json(result);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Failed to get onboarding link";
+            res.status(400).json({ error: message });
+        }
+    });
+    router.post("/dashboard-link", auth_1.requireAuth, async (req, res) => {
+        try {
+            const result = await client.getDashboardLink(getToken(req));
+            res.json(result);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Failed to get dashboard link";
+            res.status(400).json({ error: message });
+        }
+    });
+    router.get("/transactions", auth_1.requireAuth, async (req, res) => {
+        try {
+            const limit = parseInt(req.query.limit) || undefined;
+            const starting_after = req.query.starting_after;
+            const result = await client.getTransactions(getToken(req), { limit, starting_after });
+            res.json(result);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Failed to get transactions";
+            res.status(400).json({ error: message });
+        }
+    });
+    router.get("/balance", auth_1.requireAuth, async (req, res) => {
+        try {
+            const result = await client.getBalance(getToken(req));
+            res.json(result);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Failed to get balance";
+            res.status(400).json({ error: message });
+        }
+    });
+    router.post("/payment", auth_1.requireAuth, async (req, res) => {
+        try {
+            const result = await client.createPayment(getToken(req), req.body);
+            res.json(result);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Failed to create payment";
+            res.status(400).json({ error: message });
+        }
+    });
+    router.post("/refund", auth_1.requireAuth, async (req, res) => {
+        try {
+            const result = await client.refundPayment(getToken(req), req.body);
+            res.json(result);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Failed to process refund";
+            res.status(400).json({ error: message });
+        }
+    });
+    return router;
+}

package/dist/types/index.d.ts

@@ -0,0 +1,53 @@
+import type { Request } from "express";
+export interface Entitlements {
+    sweetcart: boolean;
+    classy: boolean;
+}
+export interface OneAccountUser {
+    personId: string;
+    email: string;
+    role: "super_admin" | "owner";
+    entitlements: Entitlements;
+}
+export interface OneAccountRequest extends Request {
+    oneAccount?: {
+        user: OneAccountUser | null;
+        apiKey?: {
+            appName: string;
+            permissions: string[];
+        };
+    };
+}
+export interface OneAccountConfig {
+    apiKey: string;
+    accountProUrl?: string;
+    jwksUrl?: string;
+    cacheMaxAge?: number;
+    debug?: boolean;
+}
+export interface StripeConnectStatus {
+    hasAccount: boolean;
+    accountId?: string;
+    chargesEnabled?: boolean;
+    payoutsEnabled?: boolean;
+    detailsSubmitted?: boolean;
+    requiresOnboarding?: boolean;
+}
+export interface StripeTransaction {
+    id: string;
+    amount: number;
+    currency: string;
+    status: string;
+    created: number;
+    description?: string;
+}
+export interface StripeBalance {
+    available: {
+        amount: number;
+        currency: string;
+    }[];
+    pending: {
+        amount: number;
+        currency: string;
+    }[];
+}

package/dist/types/index.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "@oneaccount/express",
+  "version": "0.1.0",
+  "description": "OneAccount SDK for Express.js - Authentication, entitlements, and Stripe Connect",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "oneaccount",
+    "express",
+    "authentication",
+    "jwt",
+    "stripe",
+    "connect"
+  ],
+  "author": "OneAccount",
+  "license": "MIT",
+  "peerDependencies": {
+    "express": "^4.0.0 || ^5.0.0"
+  },
+  "dependencies": {
+    "jsonwebtoken": "^9.0.0"
+  },
+  "devDependencies": {
+    "@types/express": "^4.17.0",
+    "@types/jsonwebtoken": "^9.0.0",
+    "@types/node": "^20.0.0",
+    "typescript": "^5.0.0"
+  }
+}