@openape/nuxt-auth-sp 0.1.0 → 0.1.2

package/README.md

@@ -1,6 +1,6 @@
 # @openape/nuxt-auth-sp
 
-OpenAPE Service Provider Nuxt module — adds OIDC login via DNS-based IdP discovery.
+Nuxt module that adds **DDISA-based login** to your application. Users enter their email, the module discovers their Identity Provider via DNS, and handles the full authorization flow — no pre-configured IdP list needed.
 
 ## Installation
 
@@ -8,6 +8,115 @@ OpenAPE Service Provider Nuxt module — adds OIDC login via DNS-based IdP disco
 npm install @openape/nuxt-auth-sp
 ```
 
+```typescript
+// nuxt.config.ts
+export default defineNuxtConfig({
+  modules: ['@openape/nuxt-auth-sp'],
+
+  openapeSp: {
+    spId: 'sp.example.com',
+    spName: 'My Service',
+    sessionSecret: 'your-secret-min-32-chars...',
+  },
+})
+```
+
+## Configuration
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `spId` | `string` | — | **Required.** Service Provider identifier (typically your domain) |
+| `spName` | `string` | `'OpenApe Service Provider'` | Display name shown during authorization |
+| `sessionSecret` | `string` | `'change-me-sp-secret-...'` | Session encryption key |
+| `openapeUrl` | `string` | — | Override IdP URL (bypasses DNS discovery) |
+
+## Routes
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `POST` | `/api/login` | Start login — `{ email }` → `{ redirectUrl }` |
+| `GET` | `/api/callback` | Handle callback from IdP |
+| `POST` | `/api/logout` | End session |
+| `GET` | `/api/me` | Get current user (`DDISAAssertionClaims`) |
+| `GET` | `/.well-known/sp-manifest.json` | SP manifest for IdP discovery |
+
+## Composables
+
+### `useOpenApeAuth()`
+
+```typescript
+const { user, loading, fetchUser, login, logout } = useOpenApeAuth()
+
+// user: Ref<DDISAAssertionClaims | null>
+// DDISAAssertionClaims: { sub, iss, aud, act, iat, exp, nonce, ... }
+
+await login('user@example.com')  // Redirects to user's IdP
+await logout()                   // Clears session, navigates to /
+```
+
+## Middleware
+
+The module provides an `openape-auth` middleware that protects pages from unauthenticated access.
+
+```typescript
+// pages/dashboard.vue
+definePageMeta({
+  middleware: 'openape-auth',
+})
+```
+
+Unauthenticated users are redirected to the login page.
+
+## DNS Discovery
+
+When a user logs in with `user@example.com`, the module:
+
+1. Extracts the domain (`example.com`)
+2. Looks up the `_ddisa.example.com` TXT record
+3. Parses the DDISA record to find the IdP URL
+4. Redirects the user to the IdP's authorization endpoint with PKCE
+5. Handles the callback and validates the signed assertion
+
+This means any domain with a DDISA DNS record can authenticate — no pre-registration needed.
+
+For details on DNS resolution, see [`@openape/core`](../core).
+
+## Quick Start
+
+```typescript
+// nuxt.config.ts
+export default defineNuxtConfig({
+  modules: ['@openape/nuxt-auth-sp'],
+
+  openapeSp: {
+    spId: 'localhost:3001',
+    spName: 'My App',
+    sessionSecret: 'at-least-32-characters-long-secret-here',
+  },
+})
+```
+
+```vue
+<!-- pages/index.vue -->
+<script setup>
+const { user, login, logout } = useOpenApeAuth()
+const email = ref('')
+</script>
+
+<template>
+  <div v-if="user">
+    Logged in as {{ user.sub }}
+    <button @click="logout">Logout</button>
+  </div>
+  <form v-else @submit.prevent="login(email)">
+    <input v-model="email" type="email" placeholder="you@example.com" />
+    <button type="submit">Login</button>
+  </form>
+</template>
+```
+
+See the [examples](../examples) directory for a fully working SP setup.
+
 ## License
 
-MIT
+[MIT](./LICENSE)

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "@openape/nuxt-auth-sp",
   "configKey": "openapeSp",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "builder": {
     "@nuxt/module-builder": "0.8.4",
     "unbuild": "unknown"

package/dist/module.mjs

@@ -8,7 +8,7 @@ const module = defineNuxtModule({
   },
   defaults: {
     spId: "",
-    spName: "OpenAPE Service Provider",
+    spName: "OpenApe Service Provider",
     sessionSecret: "change-me-sp-secret-at-least-32-chars-long",
     openapeUrl: ""
   },

package/dist/runtime/server/api/callback.get.js

@@ -1,4 +1,7 @@
+import { defineEventHandler, getQuery, getRequestURL, sendRedirect } from "h3";
 import { handleCallback } from "@openape/auth";
+import { getFlowState, getSpConfig, clearFlowState } from "../utils/sp-config.js";
+import { getSpSession } from "../utils/sp-session.js";
 export default defineEventHandler(async (event) => {
   const query = getQuery(event);
   const { code, state, error, error_description } = query;

package/dist/runtime/server/api/login.post.js

@@ -1,4 +1,6 @@
+import { createError, defineEventHandler, getRequestURL, readBody } from "h3";
 import { createAuthorizationURL, discoverIdP } from "@openape/auth";
+import { getSpConfig, saveFlowState } from "../utils/sp-config.js";
 export default defineEventHandler(async (event) => {
   const body = await readBody(event);
   const { spId, openapeUrl } = getSpConfig();

package/dist/runtime/server/api/logout.post.js

@@ -1,3 +1,5 @@
+import { defineEventHandler } from "h3";
+import { getSpSession } from "../utils/sp-session.js";
 export default defineEventHandler(async (event) => {
   const session = await getSpSession(event);
   await session.clear();

package/dist/runtime/server/api/me.get.js

@@ -1,3 +1,5 @@
+import { createError, defineEventHandler } from "h3";
+import { getSpSession } from "../utils/sp-session.js";
 export default defineEventHandler(async (event) => {
   const session = await getSpSession(event);
   const data = session.data;

package/dist/runtime/server/routes/well-known/sp-manifest.json.get.js

@@ -1,4 +1,6 @@
+import { defineEventHandler, getRequestURL } from "h3";
 import { createSPManifest } from "@openape/auth";
+import { getSpConfig } from "../../utils/sp-config.js";
 export default defineEventHandler((event) => {
   const { spId, spName } = getSpConfig();
   const origin = getRequestURL(event).origin;
@@ -6,6 +8,6 @@ export default defineEventHandler((event) => {
     sp_id: spId,
     name: spName,
     redirect_uris: [`${origin}/api/callback`],
-    description: `${spName} \u2014 OpenAPE Service Provider`
+    description: `${spName} \u2014 OpenApe Service Provider`
   });
 });

package/dist/runtime/server/utils/sp-config.js

@@ -1,10 +1,12 @@
+import { useSession } from "h3";
+import { useRuntimeConfig } from "nitropack/runtime";
 const FLOW_COOKIE = "openape-flow";
 export function getSpConfig() {
   const config = useRuntimeConfig();
   return {
     spId: config.openapeSp.spId || "sp.example.com",
     openapeUrl: config.openapeSp.openapeUrl || "",
-    spName: config.openapeSp.spName || "OpenAPE Service Provider"
+    spName: config.openapeSp.spName || "OpenApe Service Provider"
   };
 }
 export async function saveFlowState(event, state, flow) {

package/dist/runtime/server/utils/sp-session.js

@@ -1,3 +1,5 @@
+import { useSession } from "h3";
+import { useRuntimeConfig } from "nitropack/runtime";
 export async function getSpSession(event) {
   const config = useRuntimeConfig();
   return await useSession(event, {

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@openape/nuxt-auth-sp",
   "type": "module",
-  "version": "0.1.0",
-  "description": "OpenAPE Service Provider Nuxt module — adds OIDC login via DNS-based IdP discovery",
+  "version": "0.1.2",
+  "description": "OpenApe Service Provider Nuxt module — adds OIDC login via DNS-based IdP discovery",
   "author": "Patrick Hofmann",
   "license": "MIT",
   "exports": {
@@ -25,7 +25,8 @@
     "@nuxt/kit": "^3.16.0",
     "@openape/auth": "^0.1.0",
     "@openape/core": "^0.1.0",
-    "defu": "^6.1.4"
+    "defu": "^6.1.4",
+    "h3": "^1.15.0"
   },
   "peerDependencies": {
     "nuxt": "^4.0.0"