@openape/nuxt-auth-sp 0.1.10 → 0.3.0

package/dist/module.d.mts

@@ -6,6 +6,7 @@ interface ModuleOptions {
     sessionSecret: string;
     openapeUrl: string;
     fallbackIdpUrl: string;
+    routes: boolean;
 }
 declare const _default: _nuxt_schema.NuxtModule<ModuleOptions, ModuleOptions, false>;
 

package/dist/module.d.ts

@@ -6,6 +6,7 @@ interface ModuleOptions {
     sessionSecret: string;
     openapeUrl: string;
     fallbackIdpUrl: string;
+    routes: boolean;
 }
 declare const _default: _nuxt_schema.NuxtModule<ModuleOptions, ModuleOptions, false>;
 

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "@openape/nuxt-auth-sp",
   "configKey": "openapeSp",
-  "version": "0.1.10",
+  "version": "0.3.0",
   "builder": {
     "@nuxt/module-builder": "0.8.4",
     "unbuild": "unknown"

package/dist/module.mjs

@@ -1,6 +1,8 @@
-import { defineNuxtModule, createResolver, addServerImportsDir, addImportsDir, addServerHandler } from '@nuxt/kit';
+import crypto from 'node:crypto';
+import { useLogger, defineNuxtModule, createResolver, addServerImportsDir, addImportsDir, addComponentsDir, addServerHandler } from '@nuxt/kit';
 import { defu } from 'defu';
 
+const logger = useLogger("@openape/nuxt-auth-sp");
 const module = defineNuxtModule({
   meta: {
     name: "@openape/nuxt-auth-sp",
@@ -11,21 +13,48 @@ const module = defineNuxtModule({
     spName: "OpenApe Service Provider",
     sessionSecret: "change-me-sp-secret-at-least-32-chars-long",
     openapeUrl: "",
-    fallbackIdpUrl: "https://id.openape.at"
+    fallbackIdpUrl: "https://id.openape.at",
+    routes: true
   },
   setup(options, nuxt) {
     const { resolve } = createResolver(import.meta.url);
+    const runtimeDir = resolve("./runtime");
     nuxt.options.runtimeConfig.openapeSp = defu(
       nuxt.options.runtimeConfig.openapeSp || {},
       options
     );
+    if (nuxt.options.dev) {
+      const config = nuxt.options.runtimeConfig.openapeSp;
+      if (!config.sessionSecret || config.sessionSecret === "change-me-sp-secret-at-least-32-chars-long") {
+        config.sessionSecret = crypto.randomUUID() + crypto.randomUUID();
+        logger.info("Auto-generated sessionSecret for dev mode");
+      }
+      if (!config.spId) {
+        const port = nuxt.options.devServer?.port || 3e3;
+        config.spId = `localhost:${port}`;
+        logger.info(`Auto-derived spId: ${config.spId}`);
+      }
+    }
+    if (!nuxt.options.dev) {
+      const config = nuxt.options.runtimeConfig.openapeSp;
+      if (config.sessionSecret === "change-me-sp-secret-at-least-32-chars-long") {
+        logger.warn("Using default sessionSecret in production! Set NUXT_OPENAPE_SP_SESSION_SECRET.");
+      }
+      if (!config.spId) {
+        logger.warn("spId is empty in production! Set openapeSp.spId or NUXT_OPENAPE_SP_SP_ID.");
+      }
+    }
     addServerImportsDir(resolve("./runtime/server/utils"));
     addImportsDir(resolve("./runtime/composables"));
-    addServerHandler({ route: "/api/login", method: "post", handler: resolve("./runtime/server/api/login.post") });
-    addServerHandler({ route: "/api/callback", handler: resolve("./runtime/server/api/callback.get") });
-    addServerHandler({ route: "/api/logout", method: "post", handler: resolve("./runtime/server/api/logout.post") });
-    addServerHandler({ route: "/api/me", handler: resolve("./runtime/server/api/me.get") });
-    addServerHandler({ route: "/.well-known/sp-manifest.json", handler: resolve("./runtime/server/routes/well-known/sp-manifest.json.get") });
+    addComponentsDir({ path: resolve(runtimeDir, "components") });
+    if (options.routes !== false) {
+      addServerHandler({ route: "/api/login", method: "post", handler: resolve("./runtime/server/api/login.post") });
+      addServerHandler({ route: "/api/callback", handler: resolve("./runtime/server/api/callback.get") });
+      addServerHandler({ route: "/api/logout", method: "post", handler: resolve("./runtime/server/api/logout.post") });
+      addServerHandler({ route: "/api/me", handler: resolve("./runtime/server/api/me.get") });
+      addServerHandler({ route: "/.well-known/sp-manifest.json", handler: resolve("./runtime/server/routes/well-known/sp-manifest.json.get") });
+      addServerHandler({ route: "/.well-known/auth.md", handler: resolve("./runtime/server/routes/well-known/auth.md.get") });
+    }
   }
 });
 

package/dist/runtime/components/OpenApeAuth.vue

@@ -0,0 +1,112 @@
+<script setup lang="ts">
+withDefaults(defineProps<{
+  title?: string
+  subtitle?: string
+  buttonText?: string
+  placeholder?: string
+}>(), {
+  title: 'Sign in',
+  subtitle: 'Enter your email to continue',
+  buttonText: 'Continue',
+  placeholder: 'you@example.com',
+})
+
+const emit = defineEmits<{
+  error: [error: Error]
+}>()
+
+const { user, loading, fetchUser, login } = useOpenApeAuth()
+const email = ref('')
+const error = ref('')
+const submitting = ref(false)
+
+const route = useRoute()
+
+onMounted(async () => {
+  await fetchUser()
+  if (user.value) {
+    navigateTo('/dashboard')
+  }
+  if (route.query.error) {
+    error.value = String(route.query.error)
+  }
+})
+
+async function handleSubmit() {
+  error.value = ''
+  if (!email.value || !email.value.includes('@')) {
+    error.value = 'Please enter a valid email address'
+    return
+  }
+  submitting.value = true
+  try {
+    await login(email.value)
+  }
+  catch (e: unknown) {
+    const err = e instanceof Error ? e : new Error('Login failed')
+    error.value = (e as any)?.data?.message || err.message
+    emit('error', err)
+    submitting.value = false
+  }
+}
+</script>
+
+<template>
+  <div v-if="loading" class="openape-auth openape-auth--loading">
+    <div class="openape-auth-spinner" />
+  </div>
+
+  <div v-else class="openape-auth">
+    <slot name="header">
+      <div class="openape-auth-header">
+        <h2 class="openape-auth-title">
+          {{ title }}
+        </h2>
+        <p class="openape-auth-subtitle">
+          {{ subtitle }}
+        </p>
+      </div>
+    </slot>
+
+    <form class="openape-auth-form" @submit.prevent="handleSubmit">
+      <slot name="error" :error="error">
+        <p v-if="error" class="openape-auth-error">
+          {{ error }}
+        </p>
+      </slot>
+
+      <input
+        v-model="email"
+        type="email"
+        class="openape-auth-input"
+        :placeholder="placeholder"
+        required
+        :disabled="submitting"
+        autocomplete="email"
+      >
+
+      <slot name="button" :submitting="submitting">
+        <button
+          type="submit"
+          class="openape-auth-button"
+          :disabled="submitting || !email"
+        >
+          <span v-if="submitting" class="openape-auth-button-loading">
+            <svg class="openape-auth-spinner-icon" viewBox="0 0 24 24" fill="none">
+              <circle cx="12" cy="12" r="10" stroke="currentColor" stroke-width="2.5" opacity="0.25" />
+              <path d="M12 2a10 10 0 0 1 10 10" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" />
+            </svg>
+            Redirecting…
+          </span>
+          <span v-else>{{ buttonText }}</span>
+        </button>
+      </slot>
+    </form>
+
+    <slot name="footer" />
+  </div>
+</template>
+
+<style>
+.openape-auth{--oa-bg:#fff;--oa-border:#e2e2e2;--oa-text:#1a1a1a;--oa-text-muted:#6b7280;--oa-primary:#18181b;--oa-primary-hover:#27272a;--oa-primary-text:#fff;--oa-error:#dc2626;--oa-error-bg:#fef2f2;--oa-input-bg:#fff;--oa-input-border:#d1d5db;--oa-input-focus:#18181b;--oa-radius:8px;--oa-font:system-ui,-apple-system,sans-serif;background:var(--oa-bg);border:1px solid var(--oa-border);border-radius:var(--oa-radius);box-sizing:border-box;color:var(--oa-text);font-family:var(--oa-font);max-width:400px;padding:2rem;width:100%}.openape-auth--loading{align-items:center;display:flex;justify-content:center;min-height:200px}.openape-auth-spinner{animation:oa-spin .6s linear infinite;border:2.5px solid var(--oa-border);border-radius:50%;border-top-color:var(--oa-primary);height:24px;width:24px}.openape-auth-header{margin-bottom:1.5rem;text-align:center}.openape-auth-title{color:var(--oa-text);font-size:1.375rem;font-weight:600;letter-spacing:-.01em;margin:0 0 .375rem}.openape-auth-subtitle{color:var(--oa-text-muted);font-size:.875rem;margin:0}.openape-auth-form{display:flex;flex-direction:column;gap:.75rem}.openape-auth-error{background:var(--oa-error-bg);border-radius:calc(var(--oa-radius) - 2px);color:var(--oa-error);font-size:.8125rem;margin:0;padding:.625rem .75rem}.openape-auth-input{background:var(--oa-input-bg);border:1px solid var(--oa-input-border);border-radius:calc(var(--oa-radius) - 2px);box-sizing:border-box;color:var(--oa-text);font-family:var(--oa-font);font-size:.9375rem;outline:none;padding:.625rem .75rem;transition:border-color .15s;width:100%}.openape-auth-input:focus{border-color:var(--oa-input-focus);box-shadow:0 0 0 1px var(--oa-input-focus)}.openape-auth-input:disabled{cursor:not-allowed;opacity:.6}.openape-auth-button{background:var(--oa-primary);border:none;border-radius:calc(var(--oa-radius) - 2px);color:var(--oa-primary-text);cursor:pointer;font-family:var(--oa-font);font-size:.9375rem;font-weight:500;padding:.625rem 1rem;transition:background .15s}.openape-auth-button:hover:not(:disabled){background:var(--oa-primary-hover)}.openape-auth-button:disabled{cursor:not-allowed;opacity:.5}.openape-auth-button-loading{align-items:center;display:inline-flex;gap:.5rem;justify-content:center}.openape-auth-spinner-icon{animation:oa-spin .6s linear infinite;height:16px;width:16px}@keyframes oa-spin{to{transform:rotate(1turn)}}@media (prefers-color-scheme:dark){.openape-auth{--oa-bg:#18181b;--oa-border:#2e2e32;--oa-text:#f4f4f5;--oa-text-muted:#a1a1aa;--oa-primary:#f4f4f5;--oa-primary-hover:#e4e4e7;--oa-primary-text:#18181b;--oa-error-bg:#2d1215;--oa-input-bg:#1f1f23;--oa-input-border:#3f3f46;--oa-input-focus:#a1a1aa}}
+</style>

package/dist/runtime/server/handlers.d.ts

@@ -0,0 +1,21 @@
+import type { H3Event } from 'h3';
+import type { DDISAAssertionClaims } from '@openape/core';
+export interface LoginHandlerOptions {
+    callbackPath: string;
+}
+export interface CallbackHandlerOptions {
+    onSuccess: (event: H3Event, result: {
+        claims: DDISAAssertionClaims;
+        rawAssertion: string;
+    }) => Promise<void>;
+    onError?: (event: H3Event, error: Error) => Promise<void>;
+}
+export interface SPManifestHandlerOptions {
+    callbackPath: string;
+    description?: string;
+}
+export declare function defineOpenApeLoginHandler(options: LoginHandlerOptions): import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    redirectUrl: string;
+}>>;
+export declare function defineOpenApeCallbackHandler(options: CallbackHandlerOptions): import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<void>>;
+export declare function defineOpenApeSPManifestHandler(options: SPManifestHandlerOptions): import("h3").EventHandler<import("h3").EventHandlerRequest, import("@openape/core").SPManifest>;

package/dist/runtime/server/handlers.js

@@ -0,0 +1,100 @@
+import { createError, defineEventHandler, getQuery, getRequestURL, readBody, sendRedirect } from "h3";
+import { createAuthorizationURL, createSPManifest, discoverIdP, handleCallback } from "@openape/auth";
+import { getSpConfig, saveFlowState, getFlowState, clearFlowState } from "./utils/sp-config.js";
+export function defineOpenApeLoginHandler(options) {
+  return defineEventHandler(async (event) => {
+    const body = await readBody(event);
+    const { spId, openapeUrl, fallbackIdpUrl } = getSpConfig();
+    const origin = getRequestURL(event).origin;
+    const redirectUri = `${origin}${options.callbackPath}`;
+    if (!body?.email || !body.email.includes("@")) {
+      throw createError({ statusCode: 400, statusMessage: "Valid email required" });
+    }
+    const email = body.email.trim();
+    const domain = email.split("@")[1];
+    let idpConfig;
+    if (openapeUrl) {
+      idpConfig = { idpUrl: openapeUrl, record: { version: "ddisa1", idp: openapeUrl, raw: `v=ddisa1; idp=${openapeUrl}` } };
+    } else {
+      idpConfig = await discoverIdP(email, { fallbackIdpUrl: fallbackIdpUrl || void 0 });
+    }
+    if (!idpConfig) {
+      throw createError({
+        statusCode: 404,
+        statusMessage: `No DDISA IdP found for domain "${domain}"`
+      });
+    }
+    const { url, flowState } = await createAuthorizationURL(idpConfig, {
+      spId,
+      redirectUri,
+      email
+    });
+    await saveFlowState(event, flowState.state, flowState);
+    return { redirectUrl: url };
+  });
+}
+export function defineOpenApeCallbackHandler(options) {
+  return defineEventHandler(async (event) => {
+    const query = getQuery(event);
+    const { code, state, error, error_description } = query;
+    const { spId } = getSpConfig();
+    const origin = getRequestURL(event).origin;
+    if (error) {
+      const msg = error_description || error;
+      if (options.onError) {
+        await options.onError(event, new Error(msg));
+        return;
+      }
+      return sendRedirect(event, `/login?error=${encodeURIComponent(msg)}`);
+    }
+    if (!code || !state) {
+      const err = new Error("Missing code or state parameter");
+      if (options.onError) {
+        await options.onError(event, err);
+        return;
+      }
+      return sendRedirect(event, `/login?error=${encodeURIComponent(err.message)}`);
+    }
+    const flowState = await getFlowState(event, state);
+    if (!flowState) {
+      const err = new Error("Invalid or expired state \u2014 please try again");
+      if (options.onError) {
+        await options.onError(event, err);
+        return;
+      }
+      return sendRedirect(event, `/login?error=${encodeURIComponent(err.message)}`);
+    }
+    try {
+      const redirectUri = `${origin}${getRequestURL(event).pathname}`;
+      const result = await handleCallback({
+        code,
+        state,
+        flowState,
+        spId,
+        redirectUri
+      });
+      await clearFlowState(event);
+      await options.onSuccess(event, { claims: result.claims, rawAssertion: result.rawAssertion });
+    } catch (err) {
+      await clearFlowState(event);
+      const error2 = err instanceof Error ? err : new Error("Callback processing failed");
+      if (options.onError) {
+        await options.onError(event, error2);
+        return;
+      }
+      return sendRedirect(event, `/login?error=${encodeURIComponent(error2.message)}`);
+    }
+  });
+}
+export function defineOpenApeSPManifestHandler(options) {
+  return defineEventHandler((event) => {
+    const { spId, spName } = getSpConfig();
+    const origin = getRequestURL(event).origin;
+    return createSPManifest({
+      sp_id: spId,
+      name: spName,
+      redirect_uris: [`${origin}${options.callbackPath}`],
+      description: options.description || `${spName} \u2014 OpenApe Service Provider`
+    });
+  });
+}

package/dist/runtime/server/routes/well-known/auth.md.get.d.ts

@@ -0,0 +1,2 @@
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, string>;
+export default _default;

package/dist/runtime/server/routes/well-known/auth.md.get.js

@@ -0,0 +1,55 @@
+import { defineEventHandler, getRequestURL, setResponseHeader } from "h3";
+import { getSpConfig } from "../../utils/sp-config.js";
+export default defineEventHandler((event) => {
+  const { spId, spName, fallbackIdpUrl } = getSpConfig();
+  const origin = getRequestURL(event).origin;
+  setResponseHeader(event, "Content-Type", "text/markdown; charset=utf-8");
+  return `# Authentication \u2014 ${spName}
+
+## Protocol
+DDISA v1 (DNS-Discoverable Identity & Service Authorization)
+
+## Service Provider
+- **SP ID:** \`${spId}\`
+- **Origin:** \`${origin}\`
+
+## Endpoints
+
+| Method | Path | Description |
+|--------|------|-------------|
+| POST | /api/login | Start login \u2014 send \`{"email": "you@example.com"}\` |
+| GET | /api/callback | OAuth callback (automatic) |
+| GET | /api/me | Get current session (returns 401 if not authenticated) |
+| POST | /api/logout | End session |
+| GET | /.well-known/sp-manifest.json | SP metadata |
+
+## How to Authenticate
+
+### Step 1 \u2014 Start Login
+\`\`\`
+POST ${origin}/api/login
+Content-Type: application/json
+
+{"email": "your-identity@example.com"}
+\`\`\`
+Response: \`{"redirectUrl": "https://idp.example.com/authorize?..."}\`
+
+### Step 2 \u2014 Authenticate at IdP
+Follow the \`redirectUrl\`. The IdP at your email domain (discovered via DNS \`_ddisa.{domain}\`) handles authentication.
+
+- **Humans:** WebAuthn passkey prompt
+- **Agents:** Present your Bearer token (obtained via IdP challenge-response)
+
+If no DNS record exists for your domain, the fallback IdP \`${fallbackIdpUrl}\` is used.
+
+### Step 3 \u2014 Session Established
+After successful authentication, you are redirected to \`/api/callback\`. A session cookie is set. Use \`GET /api/me\` to verify your session.
+
+## Identity Discovery
+This SP discovers your IdP via DNS TXT record:
+\`\`\`
+_ddisa.{your-domain} TXT "v=ddisa1 idp=https://your-idp.example.com"
+\`\`\`
+No DNS record? The fallback IdP (${fallbackIdpUrl}) is used automatically.
+`;
+});

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@openape/nuxt-auth-sp",
   "type": "module",
-  "version": "0.1.10",
+  "version": "0.3.0",
   "description": "OpenAPE Service Provider Nuxt module — adds OIDC login via DNS-based IdP discovery",
   "author": "Delta Mind GmbH",
   "license": "AGPL-3.0-or-later",
@@ -9,6 +9,10 @@
     ".": {
       "types": "./dist/types.d.mts",
       "import": "./dist/module.mjs"
+    },
+    "./handlers": {
+      "types": "./dist/runtime/server/handlers.d.ts",
+      "import": "./dist/runtime/server/handlers.js"
     }
   },
   "main": "./dist/module.mjs",
@@ -29,9 +33,9 @@
   },
   "dependencies": {
     "@nuxt/kit": "^3.21.1",
-    "@openape/auth": "^0.1.2",
+    "@openape/auth": "^0.1.3",
     "@openape/core": "^0.1.2",
-    "@openape/nuxt-auth-sp": "0.1.10",
+    "@openape/nuxt-auth-sp": "0.3.0",
     "defu": "^6.1.4"
   },
   "peerDependencies": {