@openape/nuxt-auth-sp 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024-2025 Patrick Hofmann
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,13 @@
+# @openape/nuxt-auth-sp
+
+OpenAPE Service Provider Nuxt module — adds OIDC login via DNS-based IdP discovery.
+
+## Installation
+
+```bash
+npm install @openape/nuxt-auth-sp
+```
+
+## License
+
+MIT

package/dist/module.cjs

@@ -0,0 +1,5 @@
+module.exports = function(...args) {
+  return import('./module.mjs').then(m => m.default.call(this, ...args))
+}
+const _meta = module.exports.meta = require('./module.json')
+module.exports.getMeta = () => Promise.resolve(_meta)

package/dist/module.d.mts

@@ -0,0 +1,12 @@
+import * as nuxt_schema from 'nuxt/schema';
+
+interface ModuleOptions {
+    spId: string;
+    spName: string;
+    sessionSecret: string;
+    openapeUrl: string;
+}
+declare const _default: nuxt_schema.NuxtModule<ModuleOptions, ModuleOptions, false>;
+
+export { _default as default };
+export type { ModuleOptions };

package/dist/module.d.ts

@@ -0,0 +1,12 @@
+import * as nuxt_schema from 'nuxt/schema';
+
+interface ModuleOptions {
+    spId: string;
+    spName: string;
+    sessionSecret: string;
+    openapeUrl: string;
+}
+declare const _default: nuxt_schema.NuxtModule<ModuleOptions, ModuleOptions, false>;
+
+export { _default as default };
+export type { ModuleOptions };

package/dist/module.json

@@ -0,0 +1,9 @@
+{
+  "name": "@openape/nuxt-auth-sp",
+  "configKey": "openapeSp",
+  "version": "0.1.0",
+  "builder": {
+    "@nuxt/module-builder": "0.8.4",
+    "unbuild": "unknown"
+  }
+}

package/dist/module.mjs

@@ -0,0 +1,31 @@
+import { defineNuxtModule, createResolver, addServerImportsDir, addImportsDir, addServerHandler } from '@nuxt/kit';
+import { defu } from 'defu';
+
+const module = defineNuxtModule({
+  meta: {
+    name: "@openape/nuxt-auth-sp",
+    configKey: "openapeSp"
+  },
+  defaults: {
+    spId: "",
+    spName: "OpenAPE Service Provider",
+    sessionSecret: "change-me-sp-secret-at-least-32-chars-long",
+    openapeUrl: ""
+  },
+  setup(options, nuxt) {
+    const { resolve } = createResolver(import.meta.url);
+    nuxt.options.runtimeConfig.openapeSp = defu(
+      nuxt.options.runtimeConfig.openapeSp || {},
+      options
+    );
+    addServerImportsDir(resolve("./runtime/server/utils"));
+    addImportsDir(resolve("./runtime/composables"));
+    addServerHandler({ route: "/api/login", method: "post", handler: resolve("./runtime/server/api/login.post") });
+    addServerHandler({ route: "/api/callback", handler: resolve("./runtime/server/api/callback.get") });
+    addServerHandler({ route: "/api/logout", method: "post", handler: resolve("./runtime/server/api/logout.post") });
+    addServerHandler({ route: "/api/me", handler: resolve("./runtime/server/api/me.get") });
+    addServerHandler({ route: "/.well-known/sp-manifest.json", handler: resolve("./runtime/server/routes/well-known/sp-manifest.json.get") });
+  }
+});
+
+export { module as default };

package/dist/runtime/composables/useOpenApeAuth.js

@@ -0,0 +1,26 @@
+import { useState, navigateTo } from "#imports";
+export function useOpenApeAuth() {
+  const user = useState("openape-user", () => null);
+  const loading = useState("openape-auth-loading", () => true);
+  async function fetchUser() {
+    try {
+      user.value = await $fetch("/api/me");
+    } catch {
+      user.value = null;
+    }
+    loading.value = false;
+  }
+  async function login(email) {
+    const { redirectUrl } = await $fetch("/api/login", {
+      method: "POST",
+      body: { email }
+    });
+    navigateTo(redirectUrl, { external: true });
+  }
+  async function logout() {
+    await $fetch("/api/logout", { method: "POST" });
+    user.value = null;
+    navigateTo("/");
+  }
+  return { user, loading, fetchUser, login, logout };
+}

package/dist/runtime/middleware/openape-auth.js

@@ -0,0 +1,6 @@
+import { defineNuxtRouteMiddleware, navigateTo } from "#imports";
+export default defineNuxtRouteMiddleware(async () => {
+  const { user, fetchUser, loading } = useOpenApeAuth();
+  if (loading.value) await fetchUser();
+  if (!user.value) return navigateTo("/");
+});

package/dist/runtime/server/api/callback.get.js

@@ -0,0 +1,38 @@
+import { handleCallback } from "@openape/auth";
+export default defineEventHandler(async (event) => {
+  const query = getQuery(event);
+  const { code, state, error, error_description } = query;
+  const { spId } = getSpConfig();
+  const origin = getRequestURL(event).origin;
+  const redirectUri = `${origin}/api/callback`;
+  if (error) {
+    const msg = error_description || error;
+    return sendRedirect(event, `/?error=${encodeURIComponent(msg)}`);
+  }
+  if (!code || !state) {
+    return sendRedirect(event, `/?error=${encodeURIComponent("Missing code or state parameter")}`);
+  }
+  const flowState = await getFlowState(event, state);
+  if (!flowState) {
+    return sendRedirect(event, `/?error=${encodeURIComponent("Invalid or expired state \u2014 please try again")}`);
+  }
+  try {
+    const result = await handleCallback({
+      code,
+      state,
+      flowState,
+      spId,
+      redirectUri
+    });
+    clearFlowState(event);
+    const session = await getSpSession(event);
+    await session.update({
+      claims: result.claims
+    });
+    return sendRedirect(event, "/dashboard");
+  } catch (err) {
+    clearFlowState(event);
+    const message = err instanceof Error ? err.message : "Callback processing failed";
+    return sendRedirect(event, `/?error=${encodeURIComponent(message)}`);
+  }
+});

package/dist/runtime/server/api/login.post.js

@@ -0,0 +1,31 @@
+import { createAuthorizationURL, discoverIdP } from "@openape/auth";
+export default defineEventHandler(async (event) => {
+  const body = await readBody(event);
+  const { spId, openapeUrl } = getSpConfig();
+  const origin = getRequestURL(event).origin;
+  const redirectUri = `${origin}/api/callback`;
+  if (!body?.email || !body.email.includes("@")) {
+    throw createError({ statusCode: 400, statusMessage: "Valid email required" });
+  }
+  const email = body.email.trim();
+  const domain = email.split("@")[1];
+  let idpConfig;
+  if (openapeUrl) {
+    idpConfig = { idpUrl: openapeUrl, record: { idp: openapeUrl } };
+  } else {
+    idpConfig = await discoverIdP(email);
+  }
+  if (!idpConfig) {
+    throw createError({
+      statusCode: 404,
+      statusMessage: `No DDISA IdP found for domain "${domain}"`
+    });
+  }
+  const { url, flowState } = await createAuthorizationURL(idpConfig, {
+    spId,
+    redirectUri,
+    email
+  });
+  await saveFlowState(event, flowState.state, flowState);
+  return { redirectUrl: url };
+});

package/dist/runtime/server/api/logout.post.js

@@ -0,0 +1,5 @@
+export default defineEventHandler(async (event) => {
+  const session = await getSpSession(event);
+  await session.clear();
+  return { ok: true };
+});

package/dist/runtime/server/api/me.get.js

@@ -0,0 +1,8 @@
+export default defineEventHandler(async (event) => {
+  const session = await getSpSession(event);
+  const data = session.data;
+  if (!data.claims) {
+    throw createError({ statusCode: 401, statusMessage: "Not authenticated" });
+  }
+  return data.claims;
+});

package/dist/runtime/server/routes/well-known/sp-manifest.json.get.js

@@ -0,0 +1,11 @@
+import { createSPManifest } from "@openape/auth";
+export default defineEventHandler((event) => {
+  const { spId, spName } = getSpConfig();
+  const origin = getRequestURL(event).origin;
+  return createSPManifest({
+    sp_id: spId,
+    name: spName,
+    redirect_uris: [`${origin}/api/callback`],
+    description: `${spName} \u2014 OpenAPE Service Provider`
+  });
+});

package/dist/runtime/server/utils/sp-config.js

@@ -0,0 +1,42 @@
+const FLOW_COOKIE = "openape-flow";
+export function getSpConfig() {
+  const config = useRuntimeConfig();
+  return {
+    spId: config.openapeSp.spId || "sp.example.com",
+    openapeUrl: config.openapeSp.openapeUrl || "",
+    spName: config.openapeSp.spName || "OpenAPE Service Provider"
+  };
+}
+export async function saveFlowState(event, state, flow) {
+  const config = useRuntimeConfig();
+  const session = await useSession(event, {
+    name: FLOW_COOKIE,
+    password: config.openapeSp.sessionSecret,
+    maxAge: 600
+  });
+  await session.update({
+    state,
+    flow,
+    exp: Date.now() + 10 * 60 * 1e3
+  });
+}
+export async function getFlowState(event, expectedState) {
+  const config = useRuntimeConfig();
+  const session = await useSession(event, {
+    name: FLOW_COOKIE,
+    password: config.openapeSp.sessionSecret
+  });
+  const data = session.data;
+  if (!data?.state) return null;
+  if (data.state !== expectedState) return null;
+  if (data.exp < Date.now()) return null;
+  return data.flow;
+}
+export async function clearFlowState(event) {
+  const config = useRuntimeConfig();
+  const session = await useSession(event, {
+    name: FLOW_COOKIE,
+    password: config.openapeSp.sessionSecret
+  });
+  await session.clear();
+}

package/dist/runtime/server/utils/sp-session.js

@@ -0,0 +1,7 @@
+export async function getSpSession(event) {
+  const config = useRuntimeConfig();
+  return await useSession(event, {
+    name: "openape-sp",
+    password: config.openapeSp.sessionSecret
+  });
+}

package/dist/types.d.mts

@@ -0,0 +1,7 @@
+import type { NuxtModule } from '@nuxt/schema'
+
+import type { default as Module } from './module.js'
+
+export type ModuleOptions = typeof Module extends NuxtModule<infer O> ? Partial<O> : Record<string, any>
+
+export { default } from './module.js'

package/dist/types.d.ts

@@ -0,0 +1,7 @@
+import type { NuxtModule } from '@nuxt/schema'
+
+import type { default as Module } from './module'
+
+export type ModuleOptions = typeof Module extends NuxtModule<infer O> ? Partial<O> : Record<string, any>
+
+export { default } from './module'

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@openape/nuxt-auth-sp",
+  "type": "module",
+  "version": "0.1.0",
+  "description": "OpenAPE Service Provider Nuxt module — adds OIDC login via DNS-based IdP discovery",
+  "author": "Patrick Hofmann",
+  "license": "MIT",
+  "exports": {
+    ".": {
+      "types": "./dist/types.d.mts",
+      "import": "./dist/module.mjs"
+    }
+  },
+  "main": "./dist/module.mjs",
+  "types": "./dist/types.d.mts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "nuxt-module-build build",
+    "dev": "nuxt-module-build build --stub",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@nuxt/kit": "^3.16.0",
+    "@openape/auth": "^0.1.0",
+    "@openape/core": "^0.1.0",
+    "defu": "^6.1.4"
+  },
+  "peerDependencies": {
+    "nuxt": "^4.0.0"
+  },
+  "devDependencies": {
+    "@nuxt/module-builder": "^0.8.4",
+    "nuxt": "^4.3.1",
+    "typescript": "^5.7.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/openape-ai/nuxt-auth-sp.git"
+  }
+}