@openape/nuxt-auth-sp 0.3.0 → 0.4.1

package/dist/module.d.mts

@@ -1,5 +1,49 @@
 import * as _nuxt_schema from '@nuxt/schema';
 
+interface ManifestConfig {
+    service?: {
+        name?: string;
+        description?: string;
+        url?: string;
+        icon?: string;
+        privacy_policy?: string;
+        terms?: string;
+        contact?: string;
+    };
+    auth?: {
+        ddisa_domain?: string;
+        oidc_client_id?: string;
+        supported_methods?: ('ddisa' | 'oidc')[];
+        login_url?: string;
+    };
+    scopes?: Record<string, {
+        name: string;
+        description: string;
+        risk: 'low' | 'medium' | 'high' | 'critical';
+        category?: string;
+        parameters?: Record<string, {
+            type: string;
+            description: string;
+        }>;
+    }>;
+    categories?: Record<string, {
+        name: string;
+        icon?: string;
+    }>;
+    policies?: {
+        agent_access?: string;
+        delegation?: 'allowed' | 'denied';
+        max_delegation_duration?: string | null;
+        require_grant_for_risk?: Record<string, string | null>;
+        require_mfa_for_risk?: Record<string, boolean>;
+    };
+    rate_limits?: Record<string, Record<string, number>>;
+    endpoints?: {
+        api_base?: string;
+        openapi?: string;
+        grant_verify?: string;
+    };
+}
 interface ModuleOptions {
     spId: string;
     spName: string;
@@ -7,8 +51,9 @@ interface ModuleOptions {
     openapeUrl: string;
     fallbackIdpUrl: string;
     routes: boolean;
+    manifest?: ManifestConfig;
 }
 declare const _default: _nuxt_schema.NuxtModule<ModuleOptions, ModuleOptions, false>;
 
 export { _default as default };
-export type { ModuleOptions };
+export type { ManifestConfig, ModuleOptions };

package/dist/module.json

@@ -1,9 +1,9 @@
 {
   "name": "@openape/nuxt-auth-sp",
   "configKey": "openapeSp",
-  "version": "0.3.0",
+  "version": "0.4.1",
   "builder": {
-    "@nuxt/module-builder": "0.8.4",
+    "@nuxt/module-builder": "1.0.2",
     "unbuild": "unknown"
   }
 }

package/dist/module.mjs

@@ -3,7 +3,7 @@ import { useLogger, defineNuxtModule, createResolver, addServerImportsDir, addIm
 import { defu } from 'defu';
 
 const logger = useLogger("@openape/nuxt-auth-sp");
-const module = defineNuxtModule({
+const module$1 = defineNuxtModule({
   meta: {
     name: "@openape/nuxt-auth-sp",
     configKey: "openapeSp"
@@ -54,8 +54,9 @@ const module = defineNuxtModule({
       addServerHandler({ route: "/api/me", handler: resolve("./runtime/server/api/me.get") });
       addServerHandler({ route: "/.well-known/sp-manifest.json", handler: resolve("./runtime/server/routes/well-known/sp-manifest.json.get") });
       addServerHandler({ route: "/.well-known/auth.md", handler: resolve("./runtime/server/routes/well-known/auth.md.get") });
+      addServerHandler({ route: "/.well-known/openape.json", handler: resolve("./runtime/server/routes/well-known/openape.json.get") });
     }
   }
 });
 
-export { module as default };
+export { module$1 as default };

package/dist/runtime/components/OpenApeAuth.d.vue.ts

@@ -0,0 +1,38 @@
+type __VLS_Props = {
+    title?: string;
+    subtitle?: string;
+    buttonText?: string;
+    placeholder?: string;
+};
+declare var __VLS_1: {}, __VLS_3: {
+    error: any;
+}, __VLS_5: {
+    submitting: any;
+}, __VLS_7: {};
+type __VLS_Slots = {} & {
+    header?: (props: typeof __VLS_1) => any;
+} & {
+    error?: (props: typeof __VLS_3) => any;
+} & {
+    button?: (props: typeof __VLS_5) => any;
+} & {
+    footer?: (props: typeof __VLS_7) => any;
+};
+declare const __VLS_base: import("vue").DefineComponent<__VLS_Props, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {
+    error: (error: Error) => any;
+}, string, import("vue").PublicProps, Readonly<__VLS_Props> & Readonly<{
+    onError?: ((error: Error) => any) | undefined;
+}>, {
+    title: string;
+    subtitle: string;
+    buttonText: string;
+    placeholder: string;
+}, {}, {}, {}, string, import("vue").ComponentProvideOptions, false, {}, any>;
+declare const __VLS_export: __VLS_WithSlots<typeof __VLS_base, __VLS_Slots>;
+declare const _default: typeof __VLS_export;
+export default _default;
+type __VLS_WithSlots<T, S> = T & {
+    new (): {
+        $slots: S;
+    };
+};

package/dist/runtime/components/OpenApeAuth.vue

@@ -1,52 +1,39 @@
-<script setup lang="ts">
-withDefaults(defineProps<{
-  title?: string
-  subtitle?: string
-  buttonText?: string
-  placeholder?: string
-}>(), {
-  title: 'Sign in',
-  subtitle: 'Enter your email to continue',
-  buttonText: 'Continue',
-  placeholder: 'you@example.com',
-})
-
-const emit = defineEmits<{
-  error: [error: Error]
-}>()
-
-const { user, loading, fetchUser, login } = useOpenApeAuth()
-const email = ref('')
-const error = ref('')
-const submitting = ref(false)
-
-const route = useRoute()
-
+<script setup>
+defineProps({
+  title: { type: String, required: false, default: "Sign in" },
+  subtitle: { type: String, required: false, default: "Enter your email to continue" },
+  buttonText: { type: String, required: false, default: "Continue" },
+  placeholder: { type: String, required: false, default: "you@example.com" }
+});
+const emit = defineEmits(["error"]);
+const { user, loading, fetchUser, login } = useOpenApeAuth();
+const email = ref("");
+const error = ref("");
+const submitting = ref(false);
+const route = useRoute();
 onMounted(async () => {
-  await fetchUser()
+  await fetchUser();
   if (user.value) {
-    navigateTo('/dashboard')
+    navigateTo("/dashboard");
   }
   if (route.query.error) {
-    error.value = String(route.query.error)
+    error.value = String(route.query.error);
   }
-})
-
+});
 async function handleSubmit() {
-  error.value = ''
-  if (!email.value || !email.value.includes('@')) {
-    error.value = 'Please enter a valid email address'
-    return
+  error.value = "";
+  if (!email.value || !email.value.includes("@")) {
+    error.value = "Please enter a valid email address";
+    return;
   }
-  submitting.value = true
+  submitting.value = true;
   try {
-    await login(email.value)
-  }
-  catch (e: unknown) {
-    const err = e instanceof Error ? e : new Error('Login failed')
-    error.value = (e as any)?.data?.message || err.message
-    emit('error', err)
-    submitting.value = false
+    await login(email.value);
+  } catch (e) {
+    const err = e instanceof Error ? e : new Error("Login failed");
+    error.value = e?.data?.message || err.message;
+    emit("error", err);
+    submitting.value = false;
   }
 }
 </script>

package/dist/runtime/components/OpenApeAuth.vue.d.ts

@@ -0,0 +1,38 @@
+type __VLS_Props = {
+    title?: string;
+    subtitle?: string;
+    buttonText?: string;
+    placeholder?: string;
+};
+declare var __VLS_1: {}, __VLS_3: {
+    error: any;
+}, __VLS_5: {
+    submitting: any;
+}, __VLS_7: {};
+type __VLS_Slots = {} & {
+    header?: (props: typeof __VLS_1) => any;
+} & {
+    error?: (props: typeof __VLS_3) => any;
+} & {
+    button?: (props: typeof __VLS_5) => any;
+} & {
+    footer?: (props: typeof __VLS_7) => any;
+};
+declare const __VLS_base: import("vue").DefineComponent<__VLS_Props, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {
+    error: (error: Error) => any;
+}, string, import("vue").PublicProps, Readonly<__VLS_Props> & Readonly<{
+    onError?: ((error: Error) => any) | undefined;
+}>, {
+    title: string;
+    subtitle: string;
+    buttonText: string;
+    placeholder: string;
+}, {}, {}, {}, string, import("vue").ComponentProvideOptions, false, {}, any>;
+declare const __VLS_export: __VLS_WithSlots<typeof __VLS_base, __VLS_Slots>;
+declare const _default: typeof __VLS_export;
+export default _default;
+type __VLS_WithSlots<T, S> = T & {
+    new (): {
+        $slots: S;
+    };
+};

package/dist/runtime/middleware/openape-auth.d.ts

@@ -1,2 +1,2 @@
-declare const _default: import("nuxt/app").RouteMiddleware;
+declare const _default: import("#app").RouteMiddleware;
 export default _default;

package/dist/runtime/server/api/callback.get.js

@@ -30,7 +30,8 @@ export default defineEventHandler(async (event) => {
     clearFlowState(event);
     const session = await getSpSession(event);
     await session.update({
-      claims: result.claims
+      claims: result.claims,
+      authorizationDetails: result.authorizationDetails
     });
     return sendRedirect(event, "/dashboard");
   } catch (err) {

package/dist/runtime/server/routes/well-known/openape.json.get.d.ts

@@ -0,0 +1,17 @@
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, {
+    endpoints?: {} | undefined;
+    rate_limits?: {} | undefined;
+    policies?: {} | undefined;
+    categories?: {} | undefined;
+    scopes?: {} | undefined;
+    version: string;
+    service: {
+        name: any;
+        url: string;
+    };
+    auth: {
+        ddisa_domain: any;
+        supported_methods: string[];
+    };
+}>;
+export default _default;

package/dist/runtime/server/routes/well-known/openape.json.get.js

@@ -0,0 +1,29 @@
+import { defineEventHandler, getRequestURL, setResponseHeader } from "h3";
+import { useRuntimeConfig } from "nitropack/runtime";
+import { getSpConfig } from "../../utils/sp-config.js";
+export default defineEventHandler((event) => {
+  const config = useRuntimeConfig();
+  const { spId, spName } = getSpConfig();
+  const origin = getRequestURL(event).origin;
+  const manifest = config.openapeSp.manifest;
+  setResponseHeader(event, "Access-Control-Allow-Origin", "*");
+  setResponseHeader(event, "Cache-Control", "public, max-age=3600");
+  return {
+    version: "1.0",
+    service: {
+      name: spName,
+      url: origin,
+      ...manifest?.service || {}
+    },
+    auth: {
+      ddisa_domain: spId,
+      supported_methods: ["ddisa"],
+      ...manifest?.auth || {}
+    },
+    ...manifest?.scopes ? { scopes: manifest.scopes } : {},
+    ...manifest?.categories ? { categories: manifest.categories } : {},
+    ...manifest?.policies ? { policies: manifest.policies } : {},
+    ...manifest?.rate_limits ? { rate_limits: manifest.rate_limits } : {},
+    ...manifest?.endpoints ? { endpoints: manifest.endpoints } : {}
+  };
+});

package/dist/runtime/server/utils/grants.d.ts

@@ -0,0 +1,30 @@
+import type { OpenApeAuthorizationDetail } from '@openape/core';
+import type { H3Event } from 'h3';
+/**
+ * Check if the current session has a grant for the given action.
+ */
+export declare function hasGrant(event: H3Event, action: string): Promise<boolean>;
+/**
+ * Find a specific grant by action from the session's authorization_details.
+ */
+export declare function findGrant(event: H3Event, action: string): Promise<OpenApeAuthorizationDetail | null>;
+/**
+ * Consume a 'once' grant by calling the IdP verify endpoint.
+ * Returns the verification result or throws on failure.
+ */
+export declare function consumeGrant(event: H3Event, grantId: string): Promise<{
+    valid: boolean;
+}>;
+/**
+ * Check if the current session is a delegated session (has act claim as object).
+ */
+export declare function isDelegated(event: H3Event): Promise<boolean>;
+/**
+ * Get the actual actor (delegate) from a delegated session.
+ * Returns the delegate's identifier (e.g. agent email) or null if not delegated.
+ */
+export declare function getActor(event: H3Event): Promise<string | null>;
+/**
+ * Get the subject (delegator — person being acted on behalf of) from the session.
+ */
+export declare function getSubject(event: H3Event): Promise<string | null>;

package/dist/runtime/server/utils/grants.js

@@ -0,0 +1,55 @@
+import { getSpSession } from "./sp-session.js";
+import { getSpConfig } from "./sp-config.js";
+export async function hasGrant(event, action) {
+  const session = await getSpSession(event);
+  const details = session.data.authorizationDetails;
+  if (!details) return false;
+  return details.some((d) => d.action === action);
+}
+export async function findGrant(event, action) {
+  const session = await getSpSession(event);
+  const details = session.data.authorizationDetails;
+  if (!details) return null;
+  return details.find((d) => d.action === action) ?? null;
+}
+export async function consumeGrant(event, grantId) {
+  const session = await getSpSession(event);
+  const details = session.data.authorizationDetails;
+  const detail = details?.find((d) => d.grant_id === grantId);
+  if (!detail) {
+    throw new Error(`Grant ${grantId} not found in session`);
+  }
+  const claims = session.data.claims;
+  const idpUrl = claims?.iss || getSpConfig().fallbackIdpUrl;
+  const response = await fetch(`${idpUrl}/api/grants/verify`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ grant_id: grantId })
+  });
+  if (!response.ok) {
+    throw new Error(`Grant verification failed: ${response.status}`);
+  }
+  return response.json();
+}
+export async function isDelegated(event) {
+  const session = await getSpSession(event);
+  const claims = session.data.claims;
+  if (!claims) return false;
+  return typeof claims.act === "object" && claims.act !== null && "sub" in claims.act;
+}
+export async function getActor(event) {
+  const session = await getSpSession(event);
+  const claims = session.data.claims;
+  if (!claims) return null;
+  const act = claims.act;
+  if (typeof act === "object" && act !== null && "sub" in act) {
+    return act.sub;
+  }
+  return null;
+}
+export async function getSubject(event) {
+  const session = await getSpSession(event);
+  const claims = session.data.claims;
+  if (!claims) return null;
+  return claims.sub ?? null;
+}

package/dist/types.d.mts

@@ -1,7 +1,3 @@
-import type { NuxtModule } from '@nuxt/schema'
+export { default } from './module.mjs'
 
-import type { default as Module } from './module.js'
-
-export type ModuleOptions = typeof Module extends NuxtModule<infer O> ? Partial<O> : Record<string, any>
-
-export { default } from './module.js'
+export { type ManifestConfig, type ModuleOptions } from './module.mjs'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@openape/nuxt-auth-sp",
   "type": "module",
-  "version": "0.3.0",
+  "version": "0.4.1",
   "description": "OpenAPE Service Provider Nuxt module — adds OIDC login via DNS-based IdP discovery",
   "author": "Delta Mind GmbH",
   "license": "AGPL-3.0-or-later",
@@ -33,9 +33,8 @@
   },
   "dependencies": {
     "@nuxt/kit": "^3.21.1",
-    "@openape/auth": "^0.1.3",
-    "@openape/core": "^0.1.2",
-    "@openape/nuxt-auth-sp": "0.3.0",
+    "@openape/auth": "^0.2.0",
+    "@openape/core": "^0.2.0",
     "defu": "^6.1.4"
   },
   "peerDependencies": {
@@ -44,12 +43,15 @@
   "devDependencies": {
     "@antfu/eslint-config": "^7.6.1",
     "@changesets/cli": "^2.30.0",
-    "@nuxt/module-builder": "^0.8.4",
+    "@nuxt/module-builder": "^1.0.2",
+    "@nuxt/ui": "^4.5.1",
     "@types/node": "^22.19.13",
     "eslint": "^9.39.3",
     "nuxt": "^4.3.1",
+    "tailwindcss": "^4.2.1",
     "typescript": "^5.9.3",
     "vitest": "^3.2.4",
+    "vue": "^3.5.30",
     "vue-tsc": "^3.2.5"
   },
   "engines": {

package/dist/module.cjs

@@ -1,5 +0,0 @@
-module.exports = function(...args) {
-  return import('./module.mjs').then(m => m.default.call(this, ...args))
-}
-const _meta = module.exports.meta = require('./module.json')
-module.exports.getMeta = () => Promise.resolve(_meta)

package/dist/module.d.ts

@@ -1,14 +0,0 @@
-import * as _nuxt_schema from '@nuxt/schema';
-
-interface ModuleOptions {
-    spId: string;
-    spName: string;
-    sessionSecret: string;
-    openapeUrl: string;
-    fallbackIdpUrl: string;
-    routes: boolean;
-}
-declare const _default: _nuxt_schema.NuxtModule<ModuleOptions, ModuleOptions, false>;
-
-export { _default as default };
-export type { ModuleOptions };

package/dist/types.d.ts

@@ -1,7 +0,0 @@
-import type { NuxtModule } from '@nuxt/schema'
-
-import type { default as Module } from './module'
-
-export type ModuleOptions = typeof Module extends NuxtModule<infer O> ? Partial<O> : Record<string, any>
-
-export { default } from './module'