@openape/nuxt-auth-sp 0.1.11 → 0.4.0

package/dist/module.d.mts

@@ -1,13 +1,59 @@
 import * as _nuxt_schema from '@nuxt/schema';
 
+interface ManifestConfig {
+    service?: {
+        name?: string;
+        description?: string;
+        url?: string;
+        icon?: string;
+        privacy_policy?: string;
+        terms?: string;
+        contact?: string;
+    };
+    auth?: {
+        ddisa_domain?: string;
+        oidc_client_id?: string;
+        supported_methods?: ('ddisa' | 'oidc')[];
+        login_url?: string;
+    };
+    scopes?: Record<string, {
+        name: string;
+        description: string;
+        risk: 'low' | 'medium' | 'high' | 'critical';
+        category?: string;
+        parameters?: Record<string, {
+            type: string;
+            description: string;
+        }>;
+    }>;
+    categories?: Record<string, {
+        name: string;
+        icon?: string;
+    }>;
+    policies?: {
+        agent_access?: string;
+        delegation?: 'allowed' | 'denied';
+        max_delegation_duration?: string | null;
+        require_grant_for_risk?: Record<string, string | null>;
+        require_mfa_for_risk?: Record<string, boolean>;
+    };
+    rate_limits?: Record<string, Record<string, number>>;
+    endpoints?: {
+        api_base?: string;
+        openapi?: string;
+        grant_verify?: string;
+    };
+}
 interface ModuleOptions {
     spId: string;
     spName: string;
     sessionSecret: string;
     openapeUrl: string;
     fallbackIdpUrl: string;
+    routes: boolean;
+    manifest?: ManifestConfig;
 }
 declare const _default: _nuxt_schema.NuxtModule<ModuleOptions, ModuleOptions, false>;
 
 export { _default as default };
-export type { ModuleOptions };
+export type { ManifestConfig, ModuleOptions };

package/dist/module.json

@@ -1,9 +1,9 @@
 {
   "name": "@openape/nuxt-auth-sp",
   "configKey": "openapeSp",
-  "version": "0.1.11",
+  "version": "0.4.0",
   "builder": {
-    "@nuxt/module-builder": "0.8.4",
+    "@nuxt/module-builder": "1.0.2",
     "unbuild": "unknown"
   }
 }

package/dist/module.mjs

@@ -3,7 +3,7 @@ import { useLogger, defineNuxtModule, createResolver, addServerImportsDir, addIm
 import { defu } from 'defu';
 
 const logger = useLogger("@openape/nuxt-auth-sp");
-const module = defineNuxtModule({
+const module$1 = defineNuxtModule({
   meta: {
     name: "@openape/nuxt-auth-sp",
     configKey: "openapeSp"
@@ -13,7 +13,8 @@ const module = defineNuxtModule({
     spName: "OpenApe Service Provider",
     sessionSecret: "change-me-sp-secret-at-least-32-chars-long",
     openapeUrl: "",
-    fallbackIdpUrl: "https://id.openape.at"
+    fallbackIdpUrl: "https://id.openape.at",
+    routes: true
   },
   setup(options, nuxt) {
     const { resolve } = createResolver(import.meta.url);
@@ -46,12 +47,16 @@ const module = defineNuxtModule({
     addServerImportsDir(resolve("./runtime/server/utils"));
     addImportsDir(resolve("./runtime/composables"));
     addComponentsDir({ path: resolve(runtimeDir, "components") });
-    addServerHandler({ route: "/api/login", method: "post", handler: resolve("./runtime/server/api/login.post") });
-    addServerHandler({ route: "/api/callback", handler: resolve("./runtime/server/api/callback.get") });
-    addServerHandler({ route: "/api/logout", method: "post", handler: resolve("./runtime/server/api/logout.post") });
-    addServerHandler({ route: "/api/me", handler: resolve("./runtime/server/api/me.get") });
-    addServerHandler({ route: "/.well-known/sp-manifest.json", handler: resolve("./runtime/server/routes/well-known/sp-manifest.json.get") });
+    if (options.routes !== false) {
+      addServerHandler({ route: "/api/login", method: "post", handler: resolve("./runtime/server/api/login.post") });
+      addServerHandler({ route: "/api/callback", handler: resolve("./runtime/server/api/callback.get") });
+      addServerHandler({ route: "/api/logout", method: "post", handler: resolve("./runtime/server/api/logout.post") });
+      addServerHandler({ route: "/api/me", handler: resolve("./runtime/server/api/me.get") });
+      addServerHandler({ route: "/.well-known/sp-manifest.json", handler: resolve("./runtime/server/routes/well-known/sp-manifest.json.get") });
+      addServerHandler({ route: "/.well-known/auth.md", handler: resolve("./runtime/server/routes/well-known/auth.md.get") });
+      addServerHandler({ route: "/.well-known/openape.json", handler: resolve("./runtime/server/routes/well-known/openape.json.get") });
+    }
   }
 });
 
-export { module as default };
+export { module$1 as default };

package/dist/runtime/components/OpenApeAuth.d.vue.ts

@@ -0,0 +1,38 @@
+type __VLS_Props = {
+    title?: string;
+    subtitle?: string;
+    buttonText?: string;
+    placeholder?: string;
+};
+declare var __VLS_1: {}, __VLS_3: {
+    error: any;
+}, __VLS_5: {
+    submitting: any;
+}, __VLS_7: {};
+type __VLS_Slots = {} & {
+    header?: (props: typeof __VLS_1) => any;
+} & {
+    error?: (props: typeof __VLS_3) => any;
+} & {
+    button?: (props: typeof __VLS_5) => any;
+} & {
+    footer?: (props: typeof __VLS_7) => any;
+};
+declare const __VLS_base: import("vue").DefineComponent<__VLS_Props, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {
+    error: (error: Error) => any;
+}, string, import("vue").PublicProps, Readonly<__VLS_Props> & Readonly<{
+    onError?: ((error: Error) => any) | undefined;
+}>, {
+    title: string;
+    subtitle: string;
+    buttonText: string;
+    placeholder: string;
+}, {}, {}, {}, string, import("vue").ComponentProvideOptions, false, {}, any>;
+declare const __VLS_export: __VLS_WithSlots<typeof __VLS_base, __VLS_Slots>;
+declare const _default: typeof __VLS_export;
+export default _default;
+type __VLS_WithSlots<T, S> = T & {
+    new (): {
+        $slots: S;
+    };
+};

package/dist/runtime/components/OpenApeAuth.vue

@@ -0,0 +1,99 @@
+<script setup>
+defineProps({
+  title: { type: String, required: false, default: "Sign in" },
+  subtitle: { type: String, required: false, default: "Enter your email to continue" },
+  buttonText: { type: String, required: false, default: "Continue" },
+  placeholder: { type: String, required: false, default: "you@example.com" }
+});
+const emit = defineEmits(["error"]);
+const { user, loading, fetchUser, login } = useOpenApeAuth();
+const email = ref("");
+const error = ref("");
+const submitting = ref(false);
+const route = useRoute();
+onMounted(async () => {
+  await fetchUser();
+  if (user.value) {
+    navigateTo("/dashboard");
+  }
+  if (route.query.error) {
+    error.value = String(route.query.error);
+  }
+});
+async function handleSubmit() {
+  error.value = "";
+  if (!email.value || !email.value.includes("@")) {
+    error.value = "Please enter a valid email address";
+    return;
+  }
+  submitting.value = true;
+  try {
+    await login(email.value);
+  } catch (e) {
+    const err = e instanceof Error ? e : new Error("Login failed");
+    error.value = e?.data?.message || err.message;
+    emit("error", err);
+    submitting.value = false;
+  }
+}
+</script>
+
+<template>
+  <div v-if="loading" class="openape-auth openape-auth--loading">
+    <div class="openape-auth-spinner" />
+  </div>
+
+  <div v-else class="openape-auth">
+    <slot name="header">
+      <div class="openape-auth-header">
+        <h2 class="openape-auth-title">
+          {{ title }}
+        </h2>
+        <p class="openape-auth-subtitle">
+          {{ subtitle }}
+        </p>
+      </div>
+    </slot>
+
+    <form class="openape-auth-form" @submit.prevent="handleSubmit">
+      <slot name="error" :error="error">
+        <p v-if="error" class="openape-auth-error">
+          {{ error }}
+        </p>
+      </slot>
+
+      <input
+        v-model="email"
+        type="email"
+        class="openape-auth-input"
+        :placeholder="placeholder"
+        required
+        :disabled="submitting"
+        autocomplete="email"
+      >
+
+      <slot name="button" :submitting="submitting">
+        <button
+          type="submit"
+          class="openape-auth-button"
+          :disabled="submitting || !email"
+        >
+          <span v-if="submitting" class="openape-auth-button-loading">
+            <svg class="openape-auth-spinner-icon" viewBox="0 0 24 24" fill="none">
+              <circle cx="12" cy="12" r="10" stroke="currentColor" stroke-width="2.5" opacity="0.25" />
+              <path d="M12 2a10 10 0 0 1 10 10" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" />
+            </svg>
+            Redirecting…
+          </span>
+          <span v-else>{{ buttonText }}</span>
+        </button>
+      </slot>
+    </form>
+
+    <slot name="footer" />
+  </div>
+</template>
+
+<style>
+.openape-auth{--oa-bg:#fff;--oa-border:#e2e2e2;--oa-text:#1a1a1a;--oa-text-muted:#6b7280;--oa-primary:#18181b;--oa-primary-hover:#27272a;--oa-primary-text:#fff;--oa-error:#dc2626;--oa-error-bg:#fef2f2;--oa-input-bg:#fff;--oa-input-border:#d1d5db;--oa-input-focus:#18181b;--oa-radius:8px;--oa-font:system-ui,-apple-system,sans-serif;background:var(--oa-bg);border:1px solid var(--oa-border);border-radius:var(--oa-radius);box-sizing:border-box;color:var(--oa-text);font-family:var(--oa-font);max-width:400px;padding:2rem;width:100%}.openape-auth--loading{align-items:center;display:flex;justify-content:center;min-height:200px}.openape-auth-spinner{animation:oa-spin .6s linear infinite;border:2.5px solid var(--oa-border);border-radius:50%;border-top-color:var(--oa-primary);height:24px;width:24px}.openape-auth-header{margin-bottom:1.5rem;text-align:center}.openape-auth-title{color:var(--oa-text);font-size:1.375rem;font-weight:600;letter-spacing:-.01em;margin:0 0 .375rem}.openape-auth-subtitle{color:var(--oa-text-muted);font-size:.875rem;margin:0}.openape-auth-form{display:flex;flex-direction:column;gap:.75rem}.openape-auth-error{background:var(--oa-error-bg);border-radius:calc(var(--oa-radius) - 2px);color:var(--oa-error);font-size:.8125rem;margin:0;padding:.625rem .75rem}.openape-auth-input{background:var(--oa-input-bg);border:1px solid var(--oa-input-border);border-radius:calc(var(--oa-radius) - 2px);box-sizing:border-box;color:var(--oa-text);font-family:var(--oa-font);font-size:.9375rem;outline:none;padding:.625rem .75rem;transition:border-color .15s;width:100%}.openape-auth-input:focus{border-color:var(--oa-input-focus);box-shadow:0 0 0 1px var(--oa-input-focus)}.openape-auth-input:disabled{cursor:not-allowed;opacity:.6}.openape-auth-button{background:var(--oa-primary);border:none;border-radius:calc(var(--oa-radius) - 2px);color:var(--oa-primary-text);cursor:pointer;font-family:var(--oa-font);font-size:.9375rem;font-weight:500;padding:.625rem 1rem;transition:background .15s}.openape-auth-button:hover:not(:disabled){background:var(--oa-primary-hover)}.openape-auth-button:disabled{cursor:not-allowed;opacity:.5}.openape-auth-button-loading{align-items:center;display:inline-flex;gap:.5rem;justify-content:center}.openape-auth-spinner-icon{animation:oa-spin .6s linear infinite;height:16px;width:16px}@keyframes oa-spin{to{transform:rotate(1turn)}}@media (prefers-color-scheme:dark){.openape-auth{--oa-bg:#18181b;--oa-border:#2e2e32;--oa-text:#f4f4f5;--oa-text-muted:#a1a1aa;--oa-primary:#f4f4f5;--oa-primary-hover:#e4e4e7;--oa-primary-text:#18181b;--oa-error-bg:#2d1215;--oa-input-bg:#1f1f23;--oa-input-border:#3f3f46;--oa-input-focus:#a1a1aa}}
+</style>

package/dist/runtime/components/OpenApeAuth.vue.d.ts

@@ -0,0 +1,38 @@
+type __VLS_Props = {
+    title?: string;
+    subtitle?: string;
+    buttonText?: string;
+    placeholder?: string;
+};
+declare var __VLS_1: {}, __VLS_3: {
+    error: any;
+}, __VLS_5: {
+    submitting: any;
+}, __VLS_7: {};
+type __VLS_Slots = {} & {
+    header?: (props: typeof __VLS_1) => any;
+} & {
+    error?: (props: typeof __VLS_3) => any;
+} & {
+    button?: (props: typeof __VLS_5) => any;
+} & {
+    footer?: (props: typeof __VLS_7) => any;
+};
+declare const __VLS_base: import("vue").DefineComponent<__VLS_Props, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {
+    error: (error: Error) => any;
+}, string, import("vue").PublicProps, Readonly<__VLS_Props> & Readonly<{
+    onError?: ((error: Error) => any) | undefined;
+}>, {
+    title: string;
+    subtitle: string;
+    buttonText: string;
+    placeholder: string;
+}, {}, {}, {}, string, import("vue").ComponentProvideOptions, false, {}, any>;
+declare const __VLS_export: __VLS_WithSlots<typeof __VLS_base, __VLS_Slots>;
+declare const _default: typeof __VLS_export;
+export default _default;
+type __VLS_WithSlots<T, S> = T & {
+    new (): {
+        $slots: S;
+    };
+};

package/dist/runtime/server/api/callback.get.js

@@ -30,7 +30,8 @@ export default defineEventHandler(async (event) => {
     clearFlowState(event);
     const session = await getSpSession(event);
     await session.update({
-      claims: result.claims
+      claims: result.claims,
+      authorizationDetails: result.authorizationDetails
     });
     return sendRedirect(event, "/dashboard");
   } catch (err) {

package/dist/runtime/server/handlers.d.ts

@@ -0,0 +1,21 @@
+import type { H3Event } from 'h3';
+import type { DDISAAssertionClaims } from '@openape/core';
+export interface LoginHandlerOptions {
+    callbackPath: string;
+}
+export interface CallbackHandlerOptions {
+    onSuccess: (event: H3Event, result: {
+        claims: DDISAAssertionClaims;
+        rawAssertion: string;
+    }) => Promise<void>;
+    onError?: (event: H3Event, error: Error) => Promise<void>;
+}
+export interface SPManifestHandlerOptions {
+    callbackPath: string;
+    description?: string;
+}
+export declare function defineOpenApeLoginHandler(options: LoginHandlerOptions): import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    redirectUrl: string;
+}>>;
+export declare function defineOpenApeCallbackHandler(options: CallbackHandlerOptions): import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<void>>;
+export declare function defineOpenApeSPManifestHandler(options: SPManifestHandlerOptions): import("h3").EventHandler<import("h3").EventHandlerRequest, import("@openape/core").SPManifest>;

package/dist/runtime/server/handlers.js

@@ -0,0 +1,100 @@
+import { createError, defineEventHandler, getQuery, getRequestURL, readBody, sendRedirect } from "h3";
+import { createAuthorizationURL, createSPManifest, discoverIdP, handleCallback } from "@openape/auth";
+import { getSpConfig, saveFlowState, getFlowState, clearFlowState } from "./utils/sp-config.js";
+export function defineOpenApeLoginHandler(options) {
+  return defineEventHandler(async (event) => {
+    const body = await readBody(event);
+    const { spId, openapeUrl, fallbackIdpUrl } = getSpConfig();
+    const origin = getRequestURL(event).origin;
+    const redirectUri = `${origin}${options.callbackPath}`;
+    if (!body?.email || !body.email.includes("@")) {
+      throw createError({ statusCode: 400, statusMessage: "Valid email required" });
+    }
+    const email = body.email.trim();
+    const domain = email.split("@")[1];
+    let idpConfig;
+    if (openapeUrl) {
+      idpConfig = { idpUrl: openapeUrl, record: { version: "ddisa1", idp: openapeUrl, raw: `v=ddisa1; idp=${openapeUrl}` } };
+    } else {
+      idpConfig = await discoverIdP(email, { fallbackIdpUrl: fallbackIdpUrl || void 0 });
+    }
+    if (!idpConfig) {
+      throw createError({
+        statusCode: 404,
+        statusMessage: `No DDISA IdP found for domain "${domain}"`
+      });
+    }
+    const { url, flowState } = await createAuthorizationURL(idpConfig, {
+      spId,
+      redirectUri,
+      email
+    });
+    await saveFlowState(event, flowState.state, flowState);
+    return { redirectUrl: url };
+  });
+}
+export function defineOpenApeCallbackHandler(options) {
+  return defineEventHandler(async (event) => {
+    const query = getQuery(event);
+    const { code, state, error, error_description } = query;
+    const { spId } = getSpConfig();
+    const origin = getRequestURL(event).origin;
+    if (error) {
+      const msg = error_description || error;
+      if (options.onError) {
+        await options.onError(event, new Error(msg));
+        return;
+      }
+      return sendRedirect(event, `/login?error=${encodeURIComponent(msg)}`);
+    }
+    if (!code || !state) {
+      const err = new Error("Missing code or state parameter");
+      if (options.onError) {
+        await options.onError(event, err);
+        return;
+      }
+      return sendRedirect(event, `/login?error=${encodeURIComponent(err.message)}`);
+    }
+    const flowState = await getFlowState(event, state);
+    if (!flowState) {
+      const err = new Error("Invalid or expired state \u2014 please try again");
+      if (options.onError) {
+        await options.onError(event, err);
+        return;
+      }
+      return sendRedirect(event, `/login?error=${encodeURIComponent(err.message)}`);
+    }
+    try {
+      const redirectUri = `${origin}${getRequestURL(event).pathname}`;
+      const result = await handleCallback({
+        code,
+        state,
+        flowState,
+        spId,
+        redirectUri
+      });
+      await clearFlowState(event);
+      await options.onSuccess(event, { claims: result.claims, rawAssertion: result.rawAssertion });
+    } catch (err) {
+      await clearFlowState(event);
+      const error2 = err instanceof Error ? err : new Error("Callback processing failed");
+      if (options.onError) {
+        await options.onError(event, error2);
+        return;
+      }
+      return sendRedirect(event, `/login?error=${encodeURIComponent(error2.message)}`);
+    }
+  });
+}
+export function defineOpenApeSPManifestHandler(options) {
+  return defineEventHandler((event) => {
+    const { spId, spName } = getSpConfig();
+    const origin = getRequestURL(event).origin;
+    return createSPManifest({
+      sp_id: spId,
+      name: spName,
+      redirect_uris: [`${origin}${options.callbackPath}`],
+      description: options.description || `${spName} \u2014 OpenApe Service Provider`
+    });
+  });
+}

package/dist/runtime/server/routes/well-known/auth.md.get.d.ts

@@ -0,0 +1,2 @@
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, string>;
+export default _default;

package/dist/runtime/server/routes/well-known/auth.md.get.js

@@ -0,0 +1,55 @@
+import { defineEventHandler, getRequestURL, setResponseHeader } from "h3";
+import { getSpConfig } from "../../utils/sp-config.js";
+export default defineEventHandler((event) => {
+  const { spId, spName, fallbackIdpUrl } = getSpConfig();
+  const origin = getRequestURL(event).origin;
+  setResponseHeader(event, "Content-Type", "text/markdown; charset=utf-8");
+  return `# Authentication \u2014 ${spName}
+
+## Protocol
+DDISA v1 (DNS-Discoverable Identity & Service Authorization)
+
+## Service Provider
+- **SP ID:** \`${spId}\`
+- **Origin:** \`${origin}\`
+
+## Endpoints
+
+| Method | Path | Description |
+|--------|------|-------------|
+| POST | /api/login | Start login \u2014 send \`{"email": "you@example.com"}\` |
+| GET | /api/callback | OAuth callback (automatic) |
+| GET | /api/me | Get current session (returns 401 if not authenticated) |
+| POST | /api/logout | End session |
+| GET | /.well-known/sp-manifest.json | SP metadata |
+
+## How to Authenticate
+
+### Step 1 \u2014 Start Login
+\`\`\`
+POST ${origin}/api/login
+Content-Type: application/json
+
+{"email": "your-identity@example.com"}
+\`\`\`
+Response: \`{"redirectUrl": "https://idp.example.com/authorize?..."}\`
+
+### Step 2 \u2014 Authenticate at IdP
+Follow the \`redirectUrl\`. The IdP at your email domain (discovered via DNS \`_ddisa.{domain}\`) handles authentication.
+
+- **Humans:** WebAuthn passkey prompt
+- **Agents:** Present your Bearer token (obtained via IdP challenge-response)
+
+If no DNS record exists for your domain, the fallback IdP \`${fallbackIdpUrl}\` is used.
+
+### Step 3 \u2014 Session Established
+After successful authentication, you are redirected to \`/api/callback\`. A session cookie is set. Use \`GET /api/me\` to verify your session.
+
+## Identity Discovery
+This SP discovers your IdP via DNS TXT record:
+\`\`\`
+_ddisa.{your-domain} TXT "v=ddisa1 idp=https://your-idp.example.com"
+\`\`\`
+No DNS record? The fallback IdP (${fallbackIdpUrl}) is used automatically.
+`;
+});

package/dist/runtime/server/routes/well-known/openape.json.get.d.ts

@@ -0,0 +1,17 @@
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, {
+    endpoints?: {} | undefined;
+    rate_limits?: {} | undefined;
+    policies?: {} | undefined;
+    categories?: {} | undefined;
+    scopes?: {} | undefined;
+    version: string;
+    service: {
+        name: any;
+        url: string;
+    };
+    auth: {
+        ddisa_domain: any;
+        supported_methods: string[];
+    };
+}>;
+export default _default;

package/dist/runtime/server/routes/well-known/openape.json.get.js

@@ -0,0 +1,29 @@
+import { defineEventHandler, getRequestURL, setResponseHeader } from "h3";
+import { useRuntimeConfig } from "nitropack/runtime";
+import { getSpConfig } from "../../utils/sp-config.js";
+export default defineEventHandler((event) => {
+  const config = useRuntimeConfig();
+  const { spId, spName } = getSpConfig();
+  const origin = getRequestURL(event).origin;
+  const manifest = config.openapeSp.manifest;
+  setResponseHeader(event, "Access-Control-Allow-Origin", "*");
+  setResponseHeader(event, "Cache-Control", "public, max-age=3600");
+  return {
+    version: "1.0",
+    service: {
+      name: spName,
+      url: origin,
+      ...manifest?.service || {}
+    },
+    auth: {
+      ddisa_domain: spId,
+      supported_methods: ["ddisa"],
+      ...manifest?.auth || {}
+    },
+    ...manifest?.scopes ? { scopes: manifest.scopes } : {},
+    ...manifest?.categories ? { categories: manifest.categories } : {},
+    ...manifest?.policies ? { policies: manifest.policies } : {},
+    ...manifest?.rate_limits ? { rate_limits: manifest.rate_limits } : {},
+    ...manifest?.endpoints ? { endpoints: manifest.endpoints } : {}
+  };
+});

package/dist/runtime/server/utils/grants.d.ts

@@ -0,0 +1,30 @@
+import type { OpenApeAuthorizationDetail } from '@openape/core';
+import type { H3Event } from 'h3';
+/**
+ * Check if the current session has a grant for the given action.
+ */
+export declare function hasGrant(event: H3Event, action: string): Promise<boolean>;
+/**
+ * Find a specific grant by action from the session's authorization_details.
+ */
+export declare function findGrant(event: H3Event, action: string): Promise<OpenApeAuthorizationDetail | null>;
+/**
+ * Consume a 'once' grant by calling the IdP verify endpoint.
+ * Returns the verification result or throws on failure.
+ */
+export declare function consumeGrant(event: H3Event, grantId: string): Promise<{
+    valid: boolean;
+}>;
+/**
+ * Check if the current session is a delegated session (has act claim as object).
+ */
+export declare function isDelegated(event: H3Event): Promise<boolean>;
+/**
+ * Get the actual actor (delegate) from a delegated session.
+ * Returns the delegate's identifier (e.g. agent email) or null if not delegated.
+ */
+export declare function getActor(event: H3Event): Promise<string | null>;
+/**
+ * Get the subject (delegator — person being acted on behalf of) from the session.
+ */
+export declare function getSubject(event: H3Event): Promise<string | null>;

package/dist/runtime/server/utils/grants.js

@@ -0,0 +1,55 @@
+import { getSpSession } from "./sp-session.js";
+import { getSpConfig } from "./sp-config.js";
+export async function hasGrant(event, action) {
+  const session = await getSpSession(event);
+  const details = session.data.authorizationDetails;
+  if (!details) return false;
+  return details.some((d) => d.action === action);
+}
+export async function findGrant(event, action) {
+  const session = await getSpSession(event);
+  const details = session.data.authorizationDetails;
+  if (!details) return null;
+  return details.find((d) => d.action === action) ?? null;
+}
+export async function consumeGrant(event, grantId) {
+  const session = await getSpSession(event);
+  const details = session.data.authorizationDetails;
+  const detail = details?.find((d) => d.grant_id === grantId);
+  if (!detail) {
+    throw new Error(`Grant ${grantId} not found in session`);
+  }
+  const claims = session.data.claims;
+  const idpUrl = claims?.iss || getSpConfig().fallbackIdpUrl;
+  const response = await fetch(`${idpUrl}/api/grants/verify`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ grant_id: grantId })
+  });
+  if (!response.ok) {
+    throw new Error(`Grant verification failed: ${response.status}`);
+  }
+  return response.json();
+}
+export async function isDelegated(event) {
+  const session = await getSpSession(event);
+  const claims = session.data.claims;
+  if (!claims) return false;
+  return typeof claims.act === "object" && claims.act !== null && "sub" in claims.act;
+}
+export async function getActor(event) {
+  const session = await getSpSession(event);
+  const claims = session.data.claims;
+  if (!claims) return null;
+  const act = claims.act;
+  if (typeof act === "object" && act !== null && "sub" in act) {
+    return act.sub;
+  }
+  return null;
+}
+export async function getSubject(event) {
+  const session = await getSpSession(event);
+  const claims = session.data.claims;
+  if (!claims) return null;
+  return claims.sub ?? null;
+}

package/dist/types.d.mts

@@ -1,7 +1,3 @@
-import type { NuxtModule } from '@nuxt/schema'
+export { default } from './module.mjs'
 
-import type { default as Module } from './module.js'
-
-export type ModuleOptions = typeof Module extends NuxtModule<infer O> ? Partial<O> : Record<string, any>
-
-export { default } from './module.js'
+export { type ManifestConfig, type ModuleOptions } from './module.mjs'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@openape/nuxt-auth-sp",
   "type": "module",
-  "version": "0.1.11",
+  "version": "0.4.0",
   "description": "OpenAPE Service Provider Nuxt module — adds OIDC login via DNS-based IdP discovery",
   "author": "Delta Mind GmbH",
   "license": "AGPL-3.0-or-later",
@@ -9,6 +9,10 @@
     ".": {
       "types": "./dist/types.d.mts",
       "import": "./dist/module.mjs"
+    },
+    "./handlers": {
+      "types": "./dist/runtime/server/handlers.d.ts",
+      "import": "./dist/runtime/server/handlers.js"
     }
   },
   "main": "./dist/module.mjs",
@@ -31,7 +35,7 @@
     "@nuxt/kit": "^3.21.1",
     "@openape/auth": "^0.1.3",
     "@openape/core": "^0.1.2",
-    "@openape/nuxt-auth-sp": "0.1.10",
+    "@openape/nuxt-auth-sp": "0.4.0",
     "defu": "^6.1.4"
   },
   "peerDependencies": {
@@ -40,12 +44,15 @@
   "devDependencies": {
     "@antfu/eslint-config": "^7.6.1",
     "@changesets/cli": "^2.30.0",
-    "@nuxt/module-builder": "^0.8.4",
+    "@nuxt/module-builder": "^1.0.2",
+    "@nuxt/ui": "^4.5.1",
     "@types/node": "^22.19.13",
     "eslint": "^9.39.3",
     "nuxt": "^4.3.1",
+    "tailwindcss": "^4.2.1",
     "typescript": "^5.9.3",
     "vitest": "^3.2.4",
+    "vue": "^3.5.30",
     "vue-tsc": "^3.2.5"
   },
   "engines": {

package/dist/module.cjs

@@ -1,5 +0,0 @@
-module.exports = function(...args) {
-  return import('./module.mjs').then(m => m.default.call(this, ...args))
-}
-const _meta = module.exports.meta = require('./module.json')
-module.exports.getMeta = () => Promise.resolve(_meta)

package/dist/module.d.ts

@@ -1,13 +0,0 @@
-import * as _nuxt_schema from '@nuxt/schema';
-
-interface ModuleOptions {
-    spId: string;
-    spName: string;
-    sessionSecret: string;
-    openapeUrl: string;
-    fallbackIdpUrl: string;
-}
-declare const _default: _nuxt_schema.NuxtModule<ModuleOptions, ModuleOptions, false>;
-
-export { _default as default };
-export type { ModuleOptions };

package/dist/types.d.ts

@@ -1,7 +0,0 @@
-import type { NuxtModule } from '@nuxt/schema'
-
-import type { default as Module } from './module'
-
-export type ModuleOptions = typeof Module extends NuxtModule<infer O> ? Partial<O> : Record<string, any>
-
-export { default } from './module'