npm - @oneaccount/express - Versions diffs - 0.1.2 → 0.2.0 - Mend

@oneaccount/express 0.1.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/README.md +64 -1
package/dist/client/accountPro.d.ts +7 -1
package/dist/client/accountPro.js +13 -0
package/dist/index.d.ts +8 -1
package/dist/index.js +16 -1
package/dist/middleware/buyerAuth.d.ts +5 -0
package/dist/middleware/buyerAuth.js +134 -0
package/dist/routes/buyerAuth.d.ts +3 -0
package/dist/routes/buyerAuth.js +78 -0
package/dist/types/index.d.ts +29 -0
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -90,6 +90,67 @@ When you call `oa.mountRoutes(app, '/api/connect')`, the following routes are av
 | POST | `/api/connect/payment` | Create marketplace payment |
 | POST | `/api/connect/refund` | Refund a payment |
+## Buyer Authentication
+For marketplace apps where sellers have their own customers (buyers), the SDK provides buyer authentication:
+```typescript
+import type { BuyerAuthRequest } from '@oneaccount/express';
+// Mount buyer auth routes
+oa.mountBuyerRoutes(app, '/api/buyer');
+// Add buyer middleware to routes that need buyer auth
+app.use('/api/customer', oa.buyerMiddleware);
+// Protected buyer route - use BuyerAuthRequest for typing
+app.get('/api/customer/orders', oa.requireBuyerAuth, (req: BuyerAuthRequest, res) => {
+  const buyer = req.buyer!; // Non-null after requireBuyerAuth
+  res.json({ buyerId: buyer.buyerId, sellerId: buyer.sellerId });
+});
+// Restrict to specific seller's buyers
+app.get('/api/customer/classes', oa.requireBuyerForSeller('seller-uuid'), (req: BuyerAuthRequest, res) => {
+  res.json({ message: 'Welcome!' });
+});
+```
+### Buyer Auth Routes
+When you call `oa.mountBuyerRoutes(app, '/api/buyer')`:
+| Method | Path | Description |
+|--------|------|-------------|
+| POST | `/api/buyer/magic/request` | Request magic login link (email or SMS) |
+| GET | `/api/buyer/magic/verify` | Verify magic token and get JWT |
+| GET | `/api/buyer/profile` | Get buyer profile (requires auth) |
+### Magic Link Request Body
+```json
+{
+  "email": "customer@example.com",
+  "sellerId": "seller-uuid",
+  "channel": "email"
+}
+```
+Or for SMS:
+```json
+{
+  "phone": "+15551234567",
+  "sellerId": "seller-uuid",
+  "channel": "sms"
+}
+```
+### Buyer Middleware
+- `oa.buyerMiddleware` - Parses buyer JWT from `Authorization: Bearer <token>` header
+- `oa.requireBuyerAuth` - Returns 401 if no authenticated buyer
+- `oa.requireBuyerForSeller(sellerId)` - Returns 403 if buyer doesn't belong to seller
 ## TypeScript
 The SDK is fully typed. Import types as needed:
@@ -98,7 +159,9 @@ The SDK is fully typed. Import types as needed:
 import type {
   OneAccountRequest,
   OneAccountUser,
-  Entitlements
+  Entitlements,
+  BuyerAuthRequest,
+  BuyerUser,
 } from '@oneaccount/express';
 ```

package/dist/client/accountPro.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import type { OneAccountConfig, StripeConnectStatus, StripeTransaction, StripeBalance } from "../types";
+import type { OneAccountConfig, StripeConnectStatus, StripeTransaction, StripeBalance, BuyerMagicRequestData, BuyerMagicVerifyResponse, BuyerProfileResponse } from "../types";
 export declare class AccountProClient {
     private baseUrl;
     private apiKey;
@@ -40,4 +40,10 @@ export declare class AccountProClient {
         refundId: string;
         status: string;
     }>;
+    requestBuyerMagicLink(data: BuyerMagicRequestData): Promise<{
+        success: boolean;
+        message: string;
+    }>;
+    verifyBuyerMagicToken(token: string): Promise<BuyerMagicVerifyResponse>;
+    getBuyerProfile(buyerToken: string): Promise<BuyerProfileResponse>;
 }

package/dist/client/accountPro.js CHANGED Viewed

@@ -82,5 +82,18 @@ class AccountProClient {
             body: JSON.stringify(data),
         });
     }
+    // Buyer Auth Methods
+    async requestBuyerMagicLink(data) {
+        return this.request("/buyer/magic/request", {
+            method: "POST",
+            body: JSON.stringify(data),
+        });
+    }
+    async verifyBuyerMagicToken(token) {
+        return this.request(`/buyer/magic/verify?token=${encodeURIComponent(token)}`);
+    }
+    async getBuyerProfile(buyerToken) {
+        return this.request("/buyer/profile", { token: buyerToken });
+    }
 }
 exports.AccountProClient = AccountProClient;

package/dist/index.d.ts CHANGED Viewed

@@ -1,17 +1,24 @@
 import type { Express } from "express";
 import { createAuthMiddleware, requireAuth, requireEntitlement, requireSuperAdmin } from "./middleware/auth";
+import { createBuyerAuthMiddleware, requireBuyerAuth, requireBuyerForSeller } from "./middleware/buyerAuth";
 import { AccountProClient } from "./client/accountPro";
 import type { OneAccountConfig } from "./types";
 export interface OneAccountSDK {
     middleware: ReturnType<typeof createAuthMiddleware>;
+    buyerMiddleware: ReturnType<typeof createBuyerAuthMiddleware>;
     requireAuth: typeof requireAuth;
     requireEntitlement: typeof requireEntitlement;
     requireSuperAdmin: typeof requireSuperAdmin;
+    requireBuyerAuth: typeof requireBuyerAuth;
+    requireBuyerForSeller: typeof requireBuyerForSeller;
     client: AccountProClient;
     mountRoutes: (app: Express, basePath?: string) => void;
+    mountBuyerRoutes: (app: Express, basePath?: string) => void;
 }
 export declare function oneAccount(config: OneAccountConfig): OneAccountSDK;
 export { createAuthMiddleware, requireAuth, requireEntitlement, requireSuperAdmin, } from "./middleware/auth";
+export { createBuyerAuthMiddleware, requireBuyerAuth, requireBuyerForSeller, } from "./middleware/buyerAuth";
 export { createStripeConnectRoutes } from "./routes/stripeConnect";
+export { createBuyerAuthRoutes } from "./routes/buyerAuth";
 export { AccountProClient } from "./client/accountPro";
-export type { OneAccountConfig, OneAccountRequest, OneAccountUser, Entitlements, } from "./types";
+export type { OneAccountConfig, OneAccountRequest, OneAccountUser, Entitlements, BuyerAuthRequest, BuyerUser, BuyerMagicRequestData, BuyerMagicVerifyResponse, BuyerProfileResponse, } from "./types";

package/dist/index.js CHANGED Viewed

@@ -1,9 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AccountProClient = exports.createStripeConnectRoutes = exports.requireSuperAdmin = exports.requireEntitlement = exports.requireAuth = exports.createAuthMiddleware = void 0;
+exports.AccountProClient = exports.createBuyerAuthRoutes = exports.createStripeConnectRoutes = exports.requireBuyerForSeller = exports.requireBuyerAuth = exports.createBuyerAuthMiddleware = exports.requireSuperAdmin = exports.requireEntitlement = exports.requireAuth = exports.createAuthMiddleware = void 0;
 exports.oneAccount = oneAccount;
 const auth_1 = require("./middleware/auth");
+const buyerAuth_1 = require("./middleware/buyerAuth");
 const stripeConnect_1 = require("./routes/stripeConnect");
+const buyerAuth_2 = require("./routes/buyerAuth");
 const accountPro_1 = require("./client/accountPro");
 function oneAccount(config) {
     if (!config.apiKey) {
@@ -14,16 +16,23 @@ function oneAccount(config) {
         ...config,
     };
     const authMiddleware = (0, auth_1.createAuthMiddleware)(resolvedConfig);
+    const buyerAuthMiddleware = (0, buyerAuth_1.createBuyerAuthMiddleware)(resolvedConfig);
     const client = new accountPro_1.AccountProClient(resolvedConfig);
     return {
         middleware: authMiddleware,
+        buyerMiddleware: buyerAuthMiddleware,
         requireAuth: auth_1.requireAuth,
         requireEntitlement: auth_1.requireEntitlement,
         requireSuperAdmin: auth_1.requireSuperAdmin,
+        requireBuyerAuth: buyerAuth_1.requireBuyerAuth,
+        requireBuyerForSeller: buyerAuth_1.requireBuyerForSeller,
         client,
         mountRoutes: (app, basePath = "/api/connect") => {
             app.use(basePath, (0, stripeConnect_1.createStripeConnectRoutes)(resolvedConfig));
         },
+        mountBuyerRoutes: (app, basePath = "/api/buyer") => {
+            app.use(basePath, (0, buyerAuth_2.createBuyerAuthRoutes)(resolvedConfig));
+        },
     };
 }
 var auth_2 = require("./middleware/auth");
@@ -31,7 +40,13 @@ Object.defineProperty(exports, "createAuthMiddleware", { enumerable: true, get:
 Object.defineProperty(exports, "requireAuth", { enumerable: true, get: function () { return auth_2.requireAuth; } });
 Object.defineProperty(exports, "requireEntitlement", { enumerable: true, get: function () { return auth_2.requireEntitlement; } });
 Object.defineProperty(exports, "requireSuperAdmin", { enumerable: true, get: function () { return auth_2.requireSuperAdmin; } });
+var buyerAuth_3 = require("./middleware/buyerAuth");
+Object.defineProperty(exports, "createBuyerAuthMiddleware", { enumerable: true, get: function () { return buyerAuth_3.createBuyerAuthMiddleware; } });
+Object.defineProperty(exports, "requireBuyerAuth", { enumerable: true, get: function () { return buyerAuth_3.requireBuyerAuth; } });
+Object.defineProperty(exports, "requireBuyerForSeller", { enumerable: true, get: function () { return buyerAuth_3.requireBuyerForSeller; } });
 var stripeConnect_2 = require("./routes/stripeConnect");
 Object.defineProperty(exports, "createStripeConnectRoutes", { enumerable: true, get: function () { return stripeConnect_2.createStripeConnectRoutes; } });
+var buyerAuth_4 = require("./routes/buyerAuth");
+Object.defineProperty(exports, "createBuyerAuthRoutes", { enumerable: true, get: function () { return buyerAuth_4.createBuyerAuthRoutes; } });
 var accountPro_2 = require("./client/accountPro");
 Object.defineProperty(exports, "AccountProClient", { enumerable: true, get: function () { return accountPro_2.AccountProClient; } });

package/dist/middleware/buyerAuth.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import type { Response, NextFunction } from "express";
+import type { BuyerAuthRequest, OneAccountConfig } from "../types";
+export declare function createBuyerAuthMiddleware(config: OneAccountConfig): (req: BuyerAuthRequest, _res: Response, next: NextFunction) => Promise<void>;
+export declare function requireBuyerAuth(req: BuyerAuthRequest, res: Response, next: NextFunction): Response<any, Record<string, any>> | undefined;
+export declare function requireBuyerForSeller(sellerId: string): (req: BuyerAuthRequest, res: Response, next: NextFunction) => Response<any, Record<string, any>> | undefined;

package/dist/middleware/buyerAuth.js ADDED Viewed

@@ -0,0 +1,134 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createBuyerAuthMiddleware = createBuyerAuthMiddleware;
+exports.requireBuyerAuth = requireBuyerAuth;
+exports.requireBuyerForSeller = requireBuyerForSeller;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+let cachedJWKS = null;
+let jwksCacheExpiry = 0;
+async function fetchJWKS(jwksUrl) {
+    const now = Date.now();
+    if (cachedJWKS && now < jwksCacheExpiry) {
+        return cachedJWKS;
+    }
+    const response = await fetch(jwksUrl);
+    if (!response.ok) {
+        throw new Error(`Failed to fetch JWKS: ${response.status}`);
+    }
+    cachedJWKS = await response.json();
+    jwksCacheExpiry = now + 3600000;
+    return cachedJWKS;
+}
+function rsaPublicKeyFromJWK(jwk) {
+    const n = Buffer.from(jwk.n, "base64url");
+    const e = Buffer.from(jwk.e, "base64url");
+    const nLen = n.length;
+    const eLen = e.length;
+    const nLenBytes = nLen < 128
+        ? [nLen]
+        : nLen < 256
+            ? [0x81, nLen]
+            : [0x82, (nLen >> 8) & 0xff, nLen & 0xff];
+    const eLenBytes = eLen < 128
+        ? [eLen]
+        : eLen < 256
+            ? [0x81, eLen]
+            : [0x82, (eLen >> 8) & 0xff, eLen & 0xff];
+    const nSequence = [0x02, ...nLenBytes, ...n];
+    const eSequence = [0x02, ...eLenBytes, ...e];
+    const innerSequence = [...nSequence, ...eSequence];
+    const innerLen = innerSequence.length;
+    const innerLenBytes = innerLen < 128
+        ? [innerLen]
+        : innerLen < 256
+            ? [0x81, innerLen]
+            : [0x82, (innerLen >> 8) & 0xff, innerLen & 0xff];
+    const bitString = [0x30, ...innerLenBytes, ...innerSequence];
+    const bitStringWithHeader = [
+        0x03,
+        bitString.length + 1,
+        0x00,
+        ...bitString,
+    ];
+    const rsaOID = [
+        0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+        0x01, 0x05, 0x00,
+    ];
+    const fullSequence = [...rsaOID, ...bitStringWithHeader];
+    const fullLen = fullSequence.length;
+    const fullLenBytes = fullLen < 128
+        ? [fullLen]
+        : fullLen < 256
+            ? [0x81, fullLen]
+            : [0x82, (fullLen >> 8) & 0xff, fullLen & 0xff];
+    const der = Buffer.from([0x30, ...fullLenBytes, ...fullSequence]);
+    const pem = `-----BEGIN PUBLIC KEY-----\n${der.toString("base64").match(/.{1,64}/g)?.join("\n")}\n-----END PUBLIC KEY-----`;
+    return pem;
+}
+function createBuyerAuthMiddleware(config) {
+    const jwksUrl = config.jwksUrl ||
+        `${config.accountProUrl || "https://myaccount.one"}/.well-known/jwks.json`;
+    return async function buyerAuthMiddleware(req, _res, next) {
+        req.buyer = null;
+        const authHeader = req.headers.authorization;
+        const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : null;
+        if (!token) {
+            return next();
+        }
+        try {
+            const decoded = jsonwebtoken_1.default.decode(token, { complete: true });
+            if (!decoded) {
+                return next();
+            }
+            const jwks = await fetchJWKS(jwksUrl);
+            const key = decoded.header.kid
+                ? jwks.keys.find((k) => k.kid === decoded.header.kid)
+                : jwks.keys[0];
+            if (!key) {
+                if (config.debug) {
+                    console.error("[OneAccount] No matching key found in JWKS for buyer token");
+                }
+                return next();
+            }
+            const publicKey = rsaPublicKeyFromJWK(key);
+            const payload = jsonwebtoken_1.default.verify(token, publicKey, {
+                algorithms: ["RS256"],
+            });
+            if (payload.buyerId && payload.sellerId) {
+                req.buyer = {
+                    buyerId: payload.buyerId,
+                    sellerId: payload.sellerId,
+                    email: payload.email,
+                    name: payload.name,
+                    phone: payload.phone,
+                };
+            }
+        }
+        catch (err) {
+            if (config.debug) {
+                console.error("[OneAccount] Buyer JWT verification failed:", err);
+            }
+        }
+        next();
+    };
+}
+function requireBuyerAuth(req, res, next) {
+    if (!req.buyer) {
+        return res.status(401).json({ error: "Buyer authentication required" });
+    }
+    next();
+}
+function requireBuyerForSeller(sellerId) {
+    return function (req, res, next) {
+        if (!req.buyer) {
+            return res.status(401).json({ error: "Buyer authentication required" });
+        }
+        if (req.buyer.sellerId !== sellerId) {
+            return res.status(403).json({ error: "Access denied for this seller" });
+        }
+        next();
+    };
+}

package/dist/routes/buyerAuth.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { Router } from "express";
+import type { OneAccountConfig } from "../types";
+export declare function createBuyerAuthRoutes(config: OneAccountConfig): Router;

package/dist/routes/buyerAuth.js ADDED Viewed

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createBuyerAuthRoutes = createBuyerAuthRoutes;
+const express_1 = require("express");
+const accountPro_1 = require("../client/accountPro");
+function createBuyerAuthRoutes(config) {
+    const router = (0, express_1.Router)();
+    const client = new accountPro_1.AccountProClient(config);
+    router.post("/magic/request", async (req, res) => {
+        try {
+            const { email, phone, sellerId, channel: rawChannel } = req.body;
+            if (!sellerId) {
+                return res.status(400).json({ error: "sellerId is required" });
+            }
+            // Default to email if channel not specified
+            const channel = rawChannel || "email";
+            if (channel === "email" && !email) {
+                return res.status(400).json({ error: "email is required for email channel" });
+            }
+            if (channel === "sms" && !phone) {
+                return res.status(400).json({ error: "phone is required for SMS channel" });
+            }
+            const result = await client.requestBuyerMagicLink({
+                email,
+                phone,
+                sellerId,
+                channel,
+            });
+            res.json(result);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Failed to request magic link";
+            res.status(400).json({ error: message });
+        }
+    });
+    router.get("/magic/verify", async (req, res) => {
+        try {
+            const token = req.query.token;
+            if (!token) {
+                return res.status(400).json({ error: "token is required" });
+            }
+            const result = await client.verifyBuyerMagicToken(token);
+            if (result.success && result.token) {
+                res.json({
+                    success: true,
+                    token: result.token,
+                    buyer: result.buyer,
+                });
+            }
+            else {
+                res.status(401).json({
+                    success: false,
+                    error: result.error || "Invalid or expired token",
+                });
+            }
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Failed to verify token";
+            res.status(400).json({ error: message });
+        }
+    });
+    router.get("/profile", async (req, res) => {
+        try {
+            const authHeader = req.headers.authorization;
+            const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
+            if (!token) {
+                return res.status(401).json({ error: "Authorization required" });
+            }
+            const profile = await client.getBuyerProfile(token);
+            res.json(profile);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Failed to get profile";
+            res.status(400).json({ error: message });
+        }
+    });
+    return router;
+}

package/dist/types/index.d.ts CHANGED Viewed

@@ -60,3 +60,32 @@ export interface StripeBalance {
         currency: string;
     }[];
 }
+export interface BuyerUser {
+    buyerId: string;
+    sellerId: string;
+    email: string;
+    name?: string;
+    phone?: string;
+}
+export interface BuyerAuthRequest extends Request {
+    buyer?: BuyerUser | null;
+}
+export interface BuyerMagicRequestData {
+    email?: string;
+    phone?: string;
+    sellerId: string;
+    channel?: "email" | "sms";
+}
+export interface BuyerMagicVerifyResponse {
+    success: boolean;
+    token?: string;
+    buyer?: BuyerUser;
+    error?: string;
+}
+export interface BuyerProfileResponse {
+    id: string;
+    email: string;
+    name?: string;
+    phone?: string;
+    sellerId: string;
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@oneaccount/express",
-  "version": "0.1.2",
+  "version": "0.2.0",
   "description": "OneAccount SDK for Express.js - Authentication, entitlements, and Stripe Connect",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",