@oneaccount/express 0.1.1 → 0.2.0

package/README.md

@@ -90,6 +90,67 @@ When you call `oa.mountRoutes(app, '/api/connect')`, the following routes are av
 | POST | `/api/connect/payment` | Create marketplace payment |
 | POST | `/api/connect/refund` | Refund a payment |
 
+## Buyer Authentication
+
+For marketplace apps where sellers have their own customers (buyers), the SDK provides buyer authentication:
+
+```typescript
+import type { BuyerAuthRequest } from '@oneaccount/express';
+
+// Mount buyer auth routes
+oa.mountBuyerRoutes(app, '/api/buyer');
+
+// Add buyer middleware to routes that need buyer auth
+app.use('/api/customer', oa.buyerMiddleware);
+
+// Protected buyer route - use BuyerAuthRequest for typing
+app.get('/api/customer/orders', oa.requireBuyerAuth, (req: BuyerAuthRequest, res) => {
+  const buyer = req.buyer!; // Non-null after requireBuyerAuth
+  res.json({ buyerId: buyer.buyerId, sellerId: buyer.sellerId });
+});
+
+// Restrict to specific seller's buyers
+app.get('/api/customer/classes', oa.requireBuyerForSeller('seller-uuid'), (req: BuyerAuthRequest, res) => {
+  res.json({ message: 'Welcome!' });
+});
+```
+
+### Buyer Auth Routes
+
+When you call `oa.mountBuyerRoutes(app, '/api/buyer')`:
+
+| Method | Path | Description |
+|--------|------|-------------|
+| POST | `/api/buyer/magic/request` | Request magic login link (email or SMS) |
+| GET | `/api/buyer/magic/verify` | Verify magic token and get JWT |
+| GET | `/api/buyer/profile` | Get buyer profile (requires auth) |
+
+### Magic Link Request Body
+
+```json
+{
+  "email": "customer@example.com",
+  "sellerId": "seller-uuid",
+  "channel": "email"
+}
+```
+
+Or for SMS:
+
+```json
+{
+  "phone": "+15551234567",
+  "sellerId": "seller-uuid", 
+  "channel": "sms"
+}
+```
+
+### Buyer Middleware
+
+- `oa.buyerMiddleware` - Parses buyer JWT from `Authorization: Bearer <token>` header
+- `oa.requireBuyerAuth` - Returns 401 if no authenticated buyer
+- `oa.requireBuyerForSeller(sellerId)` - Returns 403 if buyer doesn't belong to seller
+
 ## TypeScript
 
 The SDK is fully typed. Import types as needed:
@@ -98,7 +159,9 @@ The SDK is fully typed. Import types as needed:
 import type { 
   OneAccountRequest, 
   OneAccountUser, 
-  Entitlements 
+  Entitlements,
+  BuyerAuthRequest,
+  BuyerUser,
 } from '@oneaccount/express';
 ```
 

package/dist/client/accountPro.d.ts

@@ -1,4 +1,4 @@
-import type { OneAccountConfig, StripeConnectStatus, StripeTransaction, StripeBalance } from "../types";
+import type { OneAccountConfig, StripeConnectStatus, StripeTransaction, StripeBalance, BuyerMagicRequestData, BuyerMagicVerifyResponse, BuyerProfileResponse } from "../types";
 export declare class AccountProClient {
     private baseUrl;
     private apiKey;
@@ -40,4 +40,10 @@ export declare class AccountProClient {
         refundId: string;
         status: string;
     }>;
+    requestBuyerMagicLink(data: BuyerMagicRequestData): Promise<{
+        success: boolean;
+        message: string;
+    }>;
+    verifyBuyerMagicToken(token: string): Promise<BuyerMagicVerifyResponse>;
+    getBuyerProfile(buyerToken: string): Promise<BuyerProfileResponse>;
 }

package/dist/client/accountPro.js

@@ -82,5 +82,18 @@ class AccountProClient {
             body: JSON.stringify(data),
         });
     }
+    // Buyer Auth Methods
+    async requestBuyerMagicLink(data) {
+        return this.request("/buyer/magic/request", {
+            method: "POST",
+            body: JSON.stringify(data),
+        });
+    }
+    async verifyBuyerMagicToken(token) {
+        return this.request(`/buyer/magic/verify?token=${encodeURIComponent(token)}`);
+    }
+    async getBuyerProfile(buyerToken) {
+        return this.request("/buyer/profile", { token: buyerToken });
+    }
 }
 exports.AccountProClient = AccountProClient;

package/dist/index.d.ts

@@ -1,17 +1,24 @@
 import type { Express } from "express";
 import { createAuthMiddleware, requireAuth, requireEntitlement, requireSuperAdmin } from "./middleware/auth";
+import { createBuyerAuthMiddleware, requireBuyerAuth, requireBuyerForSeller } from "./middleware/buyerAuth";
 import { AccountProClient } from "./client/accountPro";
 import type { OneAccountConfig } from "./types";
 export interface OneAccountSDK {
     middleware: ReturnType<typeof createAuthMiddleware>;
+    buyerMiddleware: ReturnType<typeof createBuyerAuthMiddleware>;
     requireAuth: typeof requireAuth;
     requireEntitlement: typeof requireEntitlement;
     requireSuperAdmin: typeof requireSuperAdmin;
+    requireBuyerAuth: typeof requireBuyerAuth;
+    requireBuyerForSeller: typeof requireBuyerForSeller;
     client: AccountProClient;
     mountRoutes: (app: Express, basePath?: string) => void;
+    mountBuyerRoutes: (app: Express, basePath?: string) => void;
 }
 export declare function oneAccount(config: OneAccountConfig): OneAccountSDK;
 export { createAuthMiddleware, requireAuth, requireEntitlement, requireSuperAdmin, } from "./middleware/auth";
+export { createBuyerAuthMiddleware, requireBuyerAuth, requireBuyerForSeller, } from "./middleware/buyerAuth";
 export { createStripeConnectRoutes } from "./routes/stripeConnect";
+export { createBuyerAuthRoutes } from "./routes/buyerAuth";
 export { AccountProClient } from "./client/accountPro";
-export type { OneAccountConfig, OneAccountRequest, OneAccountUser, Entitlements, } from "./types";
+export type { OneAccountConfig, OneAccountRequest, OneAccountUser, Entitlements, BuyerAuthRequest, BuyerUser, BuyerMagicRequestData, BuyerMagicVerifyResponse, BuyerProfileResponse, } from "./types";

package/dist/index.js

@@ -1,9 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AccountProClient = exports.createStripeConnectRoutes = exports.requireSuperAdmin = exports.requireEntitlement = exports.requireAuth = exports.createAuthMiddleware = void 0;
+exports.AccountProClient = exports.createBuyerAuthRoutes = exports.createStripeConnectRoutes = exports.requireBuyerForSeller = exports.requireBuyerAuth = exports.createBuyerAuthMiddleware = exports.requireSuperAdmin = exports.requireEntitlement = exports.requireAuth = exports.createAuthMiddleware = void 0;
 exports.oneAccount = oneAccount;
 const auth_1 = require("./middleware/auth");
+const buyerAuth_1 = require("./middleware/buyerAuth");
 const stripeConnect_1 = require("./routes/stripeConnect");
+const buyerAuth_2 = require("./routes/buyerAuth");
 const accountPro_1 = require("./client/accountPro");
 function oneAccount(config) {
     if (!config.apiKey) {
@@ -14,16 +16,23 @@ function oneAccount(config) {
         ...config,
     };
     const authMiddleware = (0, auth_1.createAuthMiddleware)(resolvedConfig);
+    const buyerAuthMiddleware = (0, buyerAuth_1.createBuyerAuthMiddleware)(resolvedConfig);
     const client = new accountPro_1.AccountProClient(resolvedConfig);
     return {
         middleware: authMiddleware,
+        buyerMiddleware: buyerAuthMiddleware,
         requireAuth: auth_1.requireAuth,
         requireEntitlement: auth_1.requireEntitlement,
         requireSuperAdmin: auth_1.requireSuperAdmin,
+        requireBuyerAuth: buyerAuth_1.requireBuyerAuth,
+        requireBuyerForSeller: buyerAuth_1.requireBuyerForSeller,
         client,
         mountRoutes: (app, basePath = "/api/connect") => {
             app.use(basePath, (0, stripeConnect_1.createStripeConnectRoutes)(resolvedConfig));
         },
+        mountBuyerRoutes: (app, basePath = "/api/buyer") => {
+            app.use(basePath, (0, buyerAuth_2.createBuyerAuthRoutes)(resolvedConfig));
+        },
     };
 }
 var auth_2 = require("./middleware/auth");
@@ -31,7 +40,13 @@ Object.defineProperty(exports, "createAuthMiddleware", { enumerable: true, get:
 Object.defineProperty(exports, "requireAuth", { enumerable: true, get: function () { return auth_2.requireAuth; } });
 Object.defineProperty(exports, "requireEntitlement", { enumerable: true, get: function () { return auth_2.requireEntitlement; } });
 Object.defineProperty(exports, "requireSuperAdmin", { enumerable: true, get: function () { return auth_2.requireSuperAdmin; } });
+var buyerAuth_3 = require("./middleware/buyerAuth");
+Object.defineProperty(exports, "createBuyerAuthMiddleware", { enumerable: true, get: function () { return buyerAuth_3.createBuyerAuthMiddleware; } });
+Object.defineProperty(exports, "requireBuyerAuth", { enumerable: true, get: function () { return buyerAuth_3.requireBuyerAuth; } });
+Object.defineProperty(exports, "requireBuyerForSeller", { enumerable: true, get: function () { return buyerAuth_3.requireBuyerForSeller; } });
 var stripeConnect_2 = require("./routes/stripeConnect");
 Object.defineProperty(exports, "createStripeConnectRoutes", { enumerable: true, get: function () { return stripeConnect_2.createStripeConnectRoutes; } });
+var buyerAuth_4 = require("./routes/buyerAuth");
+Object.defineProperty(exports, "createBuyerAuthRoutes", { enumerable: true, get: function () { return buyerAuth_4.createBuyerAuthRoutes; } });
 var accountPro_2 = require("./client/accountPro");
 Object.defineProperty(exports, "AccountProClient", { enumerable: true, get: function () { return accountPro_2.AccountProClient; } });

package/dist/middleware/auth.js

@@ -85,8 +85,29 @@ function createAuthMiddleware(config) {
     const jwksUrl = config.jwksUrl ||
         `${config.accountProUrl || "https://myaccount.one"}/.well-known/jwks.json`;
     const cookieName = config.cookieName || "auth_token";
+    const autoSetCookie = config.autoSetCookie !== false; // Default to true
     return async function authMiddleware(req, res, next) {
         req.oneAccount = { user: null };
+        // Auto-set cookie from ?token= query parameter (SSO redirect handling)
+        if (autoSetCookie && req.query?.token && typeof req.query.token === 'string') {
+            const tokenFromUrl = req.query.token;
+            // Set the cookie
+            res.cookie(cookieName, tokenFromUrl, {
+                httpOnly: true,
+                secure: process.env.NODE_ENV === 'production',
+                maxAge: 30 * 24 * 60 * 60 * 1000, // 30 days
+                sameSite: 'lax',
+                path: '/',
+            });
+            // Build redirect URL without the token parameter
+            const url = new URL(req.originalUrl || req.url, `${req.protocol}://${req.get('host')}`);
+            url.searchParams.delete('token');
+            const redirectPath = url.pathname + url.search;
+            if (config.debug) {
+                console.log(`[OneAccount] Auto-set cookie from URL token, redirecting to ${redirectPath}`);
+            }
+            return res.redirect(redirectPath);
+        }
         let token = null;
         const authHeader = req.headers.authorization;
         if (authHeader?.startsWith("Bearer ")) {

package/dist/middleware/buyerAuth.d.ts

@@ -0,0 +1,5 @@
+import type { Response, NextFunction } from "express";
+import type { BuyerAuthRequest, OneAccountConfig } from "../types";
+export declare function createBuyerAuthMiddleware(config: OneAccountConfig): (req: BuyerAuthRequest, _res: Response, next: NextFunction) => Promise<void>;
+export declare function requireBuyerAuth(req: BuyerAuthRequest, res: Response, next: NextFunction): Response<any, Record<string, any>> | undefined;
+export declare function requireBuyerForSeller(sellerId: string): (req: BuyerAuthRequest, res: Response, next: NextFunction) => Response<any, Record<string, any>> | undefined;

package/dist/middleware/buyerAuth.js

@@ -0,0 +1,134 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createBuyerAuthMiddleware = createBuyerAuthMiddleware;
+exports.requireBuyerAuth = requireBuyerAuth;
+exports.requireBuyerForSeller = requireBuyerForSeller;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+let cachedJWKS = null;
+let jwksCacheExpiry = 0;
+async function fetchJWKS(jwksUrl) {
+    const now = Date.now();
+    if (cachedJWKS && now < jwksCacheExpiry) {
+        return cachedJWKS;
+    }
+    const response = await fetch(jwksUrl);
+    if (!response.ok) {
+        throw new Error(`Failed to fetch JWKS: ${response.status}`);
+    }
+    cachedJWKS = await response.json();
+    jwksCacheExpiry = now + 3600000;
+    return cachedJWKS;
+}
+function rsaPublicKeyFromJWK(jwk) {
+    const n = Buffer.from(jwk.n, "base64url");
+    const e = Buffer.from(jwk.e, "base64url");
+    const nLen = n.length;
+    const eLen = e.length;
+    const nLenBytes = nLen < 128
+        ? [nLen]
+        : nLen < 256
+            ? [0x81, nLen]
+            : [0x82, (nLen >> 8) & 0xff, nLen & 0xff];
+    const eLenBytes = eLen < 128
+        ? [eLen]
+        : eLen < 256
+            ? [0x81, eLen]
+            : [0x82, (eLen >> 8) & 0xff, eLen & 0xff];
+    const nSequence = [0x02, ...nLenBytes, ...n];
+    const eSequence = [0x02, ...eLenBytes, ...e];
+    const innerSequence = [...nSequence, ...eSequence];
+    const innerLen = innerSequence.length;
+    const innerLenBytes = innerLen < 128
+        ? [innerLen]
+        : innerLen < 256
+            ? [0x81, innerLen]
+            : [0x82, (innerLen >> 8) & 0xff, innerLen & 0xff];
+    const bitString = [0x30, ...innerLenBytes, ...innerSequence];
+    const bitStringWithHeader = [
+        0x03,
+        bitString.length + 1,
+        0x00,
+        ...bitString,
+    ];
+    const rsaOID = [
+        0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+        0x01, 0x05, 0x00,
+    ];
+    const fullSequence = [...rsaOID, ...bitStringWithHeader];
+    const fullLen = fullSequence.length;
+    const fullLenBytes = fullLen < 128
+        ? [fullLen]
+        : fullLen < 256
+            ? [0x81, fullLen]
+            : [0x82, (fullLen >> 8) & 0xff, fullLen & 0xff];
+    const der = Buffer.from([0x30, ...fullLenBytes, ...fullSequence]);
+    const pem = `-----BEGIN PUBLIC KEY-----\n${der.toString("base64").match(/.{1,64}/g)?.join("\n")}\n-----END PUBLIC KEY-----`;
+    return pem;
+}
+function createBuyerAuthMiddleware(config) {
+    const jwksUrl = config.jwksUrl ||
+        `${config.accountProUrl || "https://myaccount.one"}/.well-known/jwks.json`;
+    return async function buyerAuthMiddleware(req, _res, next) {
+        req.buyer = null;
+        const authHeader = req.headers.authorization;
+        const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : null;
+        if (!token) {
+            return next();
+        }
+        try {
+            const decoded = jsonwebtoken_1.default.decode(token, { complete: true });
+            if (!decoded) {
+                return next();
+            }
+            const jwks = await fetchJWKS(jwksUrl);
+            const key = decoded.header.kid
+                ? jwks.keys.find((k) => k.kid === decoded.header.kid)
+                : jwks.keys[0];
+            if (!key) {
+                if (config.debug) {
+                    console.error("[OneAccount] No matching key found in JWKS for buyer token");
+                }
+                return next();
+            }
+            const publicKey = rsaPublicKeyFromJWK(key);
+            const payload = jsonwebtoken_1.default.verify(token, publicKey, {
+                algorithms: ["RS256"],
+            });
+            if (payload.buyerId && payload.sellerId) {
+                req.buyer = {
+                    buyerId: payload.buyerId,
+                    sellerId: payload.sellerId,
+                    email: payload.email,
+                    name: payload.name,
+                    phone: payload.phone,
+                };
+            }
+        }
+        catch (err) {
+            if (config.debug) {
+                console.error("[OneAccount] Buyer JWT verification failed:", err);
+            }
+        }
+        next();
+    };
+}
+function requireBuyerAuth(req, res, next) {
+    if (!req.buyer) {
+        return res.status(401).json({ error: "Buyer authentication required" });
+    }
+    next();
+}
+function requireBuyerForSeller(sellerId) {
+    return function (req, res, next) {
+        if (!req.buyer) {
+            return res.status(401).json({ error: "Buyer authentication required" });
+        }
+        if (req.buyer.sellerId !== sellerId) {
+            return res.status(403).json({ error: "Access denied for this seller" });
+        }
+        next();
+    };
+}

package/dist/routes/buyerAuth.d.ts

@@ -0,0 +1,3 @@
+import type { Router } from "express";
+import type { OneAccountConfig } from "../types";
+export declare function createBuyerAuthRoutes(config: OneAccountConfig): Router;

package/dist/routes/buyerAuth.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createBuyerAuthRoutes = createBuyerAuthRoutes;
+const express_1 = require("express");
+const accountPro_1 = require("../client/accountPro");
+function createBuyerAuthRoutes(config) {
+    const router = (0, express_1.Router)();
+    const client = new accountPro_1.AccountProClient(config);
+    router.post("/magic/request", async (req, res) => {
+        try {
+            const { email, phone, sellerId, channel: rawChannel } = req.body;
+            if (!sellerId) {
+                return res.status(400).json({ error: "sellerId is required" });
+            }
+            // Default to email if channel not specified
+            const channel = rawChannel || "email";
+            if (channel === "email" && !email) {
+                return res.status(400).json({ error: "email is required for email channel" });
+            }
+            if (channel === "sms" && !phone) {
+                return res.status(400).json({ error: "phone is required for SMS channel" });
+            }
+            const result = await client.requestBuyerMagicLink({
+                email,
+                phone,
+                sellerId,
+                channel,
+            });
+            res.json(result);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Failed to request magic link";
+            res.status(400).json({ error: message });
+        }
+    });
+    router.get("/magic/verify", async (req, res) => {
+        try {
+            const token = req.query.token;
+            if (!token) {
+                return res.status(400).json({ error: "token is required" });
+            }
+            const result = await client.verifyBuyerMagicToken(token);
+            if (result.success && result.token) {
+                res.json({
+                    success: true,
+                    token: result.token,
+                    buyer: result.buyer,
+                });
+            }
+            else {
+                res.status(401).json({
+                    success: false,
+                    error: result.error || "Invalid or expired token",
+                });
+            }
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Failed to verify token";
+            res.status(400).json({ error: message });
+        }
+    });
+    router.get("/profile", async (req, res) => {
+        try {
+            const authHeader = req.headers.authorization;
+            const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
+            if (!token) {
+                return res.status(401).json({ error: "Authorization required" });
+            }
+            const profile = await client.getBuyerProfile(token);
+            res.json(profile);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Failed to get profile";
+            res.status(400).json({ error: message });
+        }
+    });
+    return router;
+}

package/dist/types/index.d.ts

@@ -25,6 +25,14 @@ export interface OneAccountConfig {
     cacheMaxAge?: number;
     debug?: boolean;
     cookieName?: string;
+    /**
+     * Automatically set auth cookie from ?token= URL parameter (SSO redirect handling).
+     * When enabled (default: true), the middleware will:
+     * 1. Detect ?token= in the URL
+     * 2. Set it as an HttpOnly cookie
+     * 3. Redirect to the same URL without the token parameter
+     */
+    autoSetCookie?: boolean;
 }
 export interface StripeConnectStatus {
     hasAccount: boolean;
@@ -52,3 +60,32 @@ export interface StripeBalance {
         currency: string;
     }[];
 }
+export interface BuyerUser {
+    buyerId: string;
+    sellerId: string;
+    email: string;
+    name?: string;
+    phone?: string;
+}
+export interface BuyerAuthRequest extends Request {
+    buyer?: BuyerUser | null;
+}
+export interface BuyerMagicRequestData {
+    email?: string;
+    phone?: string;
+    sellerId: string;
+    channel?: "email" | "sms";
+}
+export interface BuyerMagicVerifyResponse {
+    success: boolean;
+    token?: string;
+    buyer?: BuyerUser;
+    error?: string;
+}
+export interface BuyerProfileResponse {
+    id: string;
+    email: string;
+    name?: string;
+    phone?: string;
+    sellerId: string;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oneaccount/express",
-  "version": "0.1.1",
+  "version": "0.2.0",
   "description": "OneAccount SDK for Express.js - Authentication, entitlements, and Stripe Connect",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",