@owox/idp-owox-better-auth 0.18.0

package/README.md

@@ -0,0 +1,119 @@
+# @owox/idp-owox-better-auth
+
+Better Auth IDP provider for OWOX Data Marts authentication.
+
+## Setup
+
+### 1. Environment Configuration
+
+```env
+# OWOX IDP
+IDP_PROVIDER=owox-better-auth
+
+IDP_OWOX_DB_TYPE=sqlite
+
+## MySQL Config
+# IDP_OWOX_DB_TYPE=mysql
+# IDP_OWOX_MYSQL_HOST=localhost
+# IDP_OWOX_MYSQL_USER=root
+# IDP_OWOX_MYSQL_PASSWORD=your-password
+# IDP_OWOX_MYSQL_DB=idp_owox
+# IDP_OWOX_MYSQL_PORT=3306
+# IDP_OWOX_MYSQL_SSL=true
+
+IDP_OWOX_CLIENT_BASE_URL=https://idp.example.com
+IDP_OWOX_CLIENT_BACKCHANNEL_PREFIX=/your-custom-prefix
+IDP_OWOX_C2C_SERVICE_ACCOUNT=service-account@example.com
+IDP_OWOX_C2C_TARGET_AUDIENCE=audience-string
+IDP_OWOX_CLIENT_ID=your-client-id
+IDP_OWOX_PLATFORM_SIGN_IN_URL=https://platform.example.com/auth/sign-in
+IDP_OWOX_PLATFORM_SIGN_UP_URL=https://platform.example.com/auth/sign-up
+IDP_OWOX_SIGN_OUT_REDIRECT_URL=https://platform.example.com/auth/signed-out
+IDP_OWOX_JWT_ISSUER=https://idp.example.com
+
+# Better Auth IDP
+IDP_BETTER_AUTH_SECRET=your-super-secret-key-at-least-32-characters-long
+
+# Social login (Google)
+# IDP_BETTER_AUTH_GOOGLE_CLIENT_ID=xx
+# IDP_BETTER_AUTH_GOOGLE_CLIENT_SECRET=xx
+```
+
+## Configuration Reference
+
+| Variable                               | Required |                   Default                   | Description                                           |
+| -------------------------------------- | :------: | :-----------------------------------------: | ----------------------------------------------------- |
+| `IDP_PROVIDER`                         | **Yes**  |                      –                      | Set to `owox-better-auth`                             |
+| `IDP_OWOX_DB_TYPE`                     |    No    |                  `sqlite`                   | Database type: `sqlite` or `mysql`                    |
+| `IDP_OWOX_SQLITE_DB_PATH`              |    No    | `<app data>/sqlite/idp/owox-better-auth.db` | SQLite database file path                             |
+| `IDP_OWOX_MYSQL_HOST`                  |    No    |                      –                      | MySQL host                                            |
+| `IDP_OWOX_MYSQL_USER`                  |    No    |                      –                      | MySQL user                                            |
+| `IDP_OWOX_MYSQL_PASSWORD`              |    No    |                      –                      | MySQL password                                        |
+| `IDP_OWOX_MYSQL_DB`                    |    No    |                      –                      | MySQL database                                        |
+| `IDP_OWOX_MYSQL_PORT`                  |    No    |                   `3306`                    | MySQL port                                            |
+| `IDP_OWOX_MYSQL_SSL`                   |    No    |                   `false`                   | Enable SSL: `true`, JSON, or string                   |
+| `IDP_OWOX_CLIENT_BASE_URL`             | **Yes**  |                      –                      | Identity client base URL                              |
+| `IDP_OWOX_CLIENT_BACKCHANNEL_PREFIX`   | **Yes**  |                      –                      | Identity client path prefix for backchannel endpoints |
+| `IDP_OWOX_C2C_SERVICE_ACCOUNT`         | **Yes**  |                      –                      | Service account email for C2C impersonation           |
+| `IDP_OWOX_C2C_TARGET_AUDIENCE`         | **Yes**  |                      –                      | Target audience for C2C impersonation                 |
+| `IDP_OWOX_CLIENT_ID`                   | **Yes**  |                      –                      | Client id for PKCE                                    |
+| `IDP_OWOX_PLATFORM_SIGN_IN_URL`        | **Yes**  |                      –                      | Platform sign-in URL (redirect target)                |
+| `IDP_OWOX_PLATFORM_SIGN_UP_URL`        | **Yes**  |                      –                      | Platform sign-up URL (redirect target)                |
+| `IDP_OWOX_SIGN_OUT_REDIRECT_URL`       |    No    |               `/auth/sign-in`               | Custom redirect after sign-out                        |
+| `IDP_OWOX_ALLOWED_REDIRECT_ORIGINS`    |    No    |    origins from platform sign-in/up URLs    | Allowlist for redirect-to/app-redirect-to             |
+| `IDP_OWOX_JWT_ISSUER`                  | **Yes**  |                      –                      | Expected JWT issuer                                   |
+| `IDP_OWOX_JWT_CACHE_TTL`               |    No    |                    `1h`                     | JWKS cache TTL                                        |
+| `IDP_OWOX_JWT_CLOCK_TOLERANCE`         |    No    |                    `5s`                     | Clock skew tolerance                                  |
+| `IDP_BETTER_AUTH_SECRET`               | **Yes**  |                      –                      | Secret key for signing (min. 32 characters)           |
+| `PUBLIC_ORIGIN`                        |    No    |           `http://localhost:3000`           | Base URL for callbacks                                |
+| `IDP_BETTER_AUTH_SESSION_MAX_AGE`      |    No    |              `1800` (30 mins)               | Session duration (seconds)                            |
+| `IDP_BETTER_AUTH_TRUSTED_ORIGINS`      |    No    |               `PUBLIC_ORIGIN`               | Trusted origins for auth service                      |
+| `IDP_BETTER_AUTH_GOOGLE_CLIENT_ID`     |    No    |                      –                      | Google OAuth client id (enables Google)               |
+| `IDP_BETTER_AUTH_GOOGLE_CLIENT_SECRET` |    No    |                      –                      | Google OAuth client secret                            |
+
+## Troubleshooting
+
+### "IDP_BETTER_AUTH_SECRET is not set" Error
+
+Make sure your `.env` file contains a valid `IDP_BETTER_AUTH_SECRET` with at least 32 characters.
+
+### Database Connection Issues
+
+For MySQL, verify your connection settings and ensure the database exists.
+
+### Permission Denied
+
+Ensure the user has permission for the action they're trying to perform.
+
+## Customizing the auth UI
+
+### How it works
+
+- Rendering goes through `TemplateService`, which stitches layout + page: `renderSignIn()` and `renderSignUp()` inject `pageTitle` and `heading` and place the page body into `layouts/auth.ejs`.
+- The service first looks for templates in `dist/resources/templates`, and if missing, falls back to `src/resources/templates`. After changing files in `src`, run `npm run build` to refresh `dist`.
+- Templates are EJS and styled with Tailwind via CDN (`partials/head.ejs` contains the Tailwind config with OWOX brand colors).
+
+### Where the files live
+
+- Layout: `src/resources/templates/layouts/auth.ejs` — splits the screen into brand panel + content and pulls in header/footer.
+- Pages: `pages/sign-in.ejs`, `pages/sign-up.ejs` — Google buttons, copy, and the social-login start script.
+- Partials:
+  - `head.ejs` — `<head>`, Tailwind include, color palette.
+  - `header.ejs` — page heading (receives `heading`).
+  - `brand-panel.ejs` — left panel with background and logo.
+  - `footer.ejs` — terms and privacy links.
+
+### What and how to change
+
+- Text/links: edit the relevant `pages/*.ejs` or `partials/footer.ejs`.
+- Page heading: adjust `heading` in `TemplateService.renderSignIn|renderSignUp`, or edit `partials/header.ejs` if you need a different look.
+- Buttons and social-login logic: in `pages/sign-in.ejs` and `pages/sign-up.ejs` (the `fetch` handler to `/auth/better-auth/sign-in/social`).
+- Styles/colors: tweak the Tailwind config in `partials/head.ejs` or utility classes in each section.
+- Branding (background, logo, tagline): in `partials/brand-panel.ejs`.
+
+### Quick steps
+
+1. Edit the needed `.ejs` in `src/resources/templates/**`.
+2. Check rendering locally (via the app that consumes this package).
+3. Run `npm run build` to update `dist/resources/templates`.
+4. Commit changes in `src` (and `dist` if you ship built artifacts).

package/dist/client/IdentityOwoxClient.d.ts

@@ -0,0 +1,41 @@
+import { Projects } from '@owox/idp-protocol';
+import { IdentityOwoxClientConfig } from '../config/idp-owox-config.js';
+import { AuthFlowRequest, AuthFlowResponse, IntrospectionRequest, IntrospectionResponse, JwksResponse, RevocationRequest, RevocationResponse, TokenRequest, TokenResponse } from './dto/index.js';
+/**
+ * Represents a client for interacting with the Identity OWOX API.
+ * Provides methods for token management, validation, and retrieval of key sets.
+ */
+export declare class IdentityOwoxClient {
+    private readonly http;
+    private readonly impersonatedIdTokenFetcher?;
+    private readonly c2cServiceAccountEmail?;
+    private readonly c2cTargetAudience?;
+    private readonly clientBackchannelPrefix;
+    constructor(config: IdentityOwoxClientConfig);
+    /**
+     * POST /api/idp/token
+     */
+    getToken(req: TokenRequest): Promise<TokenResponse>;
+    /**
+     * POST /api/idp/revocation
+     */
+    revokeToken(req: RevocationRequest): Promise<RevocationResponse>;
+    /**
+     * GET /api/idp/introspection
+     */
+    introspectToken(req: IntrospectionRequest): Promise<IntrospectionResponse>;
+    /**
+     * GET /api/idp/projects
+     */
+    getProjects(accessToken: string): Promise<Projects>;
+    /**
+     * GET /api/idp/.well-known/jwks.json
+     */
+    getJwks(): Promise<JwksResponse>;
+    /**
+     * Completes auth flow by exchanging user info for a one-time authorization code.
+     * Requires service account authentication for the private internal endpoint.
+     */
+    completeAuthFlow(request: AuthFlowRequest): Promise<AuthFlowResponse>;
+}
+//# sourceMappingURL=IdentityOwoxClient.d.ts.map

package/dist/client/IdentityOwoxClient.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"IdentityOwoxClient.d.ts","sourceRoot":"","sources":["../../src/client/IdentityOwoxClient.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAkB,MAAM,oBAAoB,CAAC;AAI9D,OAAO,EAAE,wBAAwB,EAAE,MAAM,8BAA8B,CAAC;AAExE,OAAO,EACL,eAAe,EACf,gBAAgB,EAEhB,oBAAoB,EACpB,qBAAqB,EAErB,YAAY,EAEZ,iBAAiB,EACjB,kBAAkB,EAClB,YAAY,EACZ,aAAa,EAEd,MAAM,gBAAgB,CAAC;AAExB;;;GAGG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAgB;IACrC,OAAO,CAAC,QAAQ,CAAC,0BAA0B,CAAC,CAA6B;IACzE,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAS;IACjD,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAS;IAC5C,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAS;gBAErC,MAAM,EAAE,wBAAwB;IAsB5C;;OAEG;IACG,QAAQ,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,aAAa,CAAC;IAyBzD;;OAEG;IACG,WAAW,CAAC,GAAG,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAKtE;;OAEG;IACG,eAAe,CAAC,GAAG,EAAE,oBAAoB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAUhF;;OAEG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAUzD;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,YAAY,CAAC;IAKtC;;;OAGG;IACG,gBAAgB,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,gBAAgB,CAAC;CA4C5E"}

package/dist/client/IdentityOwoxClient.js

@@ -0,0 +1,128 @@
+import { ProjectsSchema } from '@owox/idp-protocol';
+import { ImpersonatedIdTokenFetcher } from '@owox/internal-helpers';
+import axios from 'axios';
+import ms from 'ms';
+import { AuthenticationException, IdpFailedException } from '../core/exceptions.js';
+import { AuthFlowResponseSchema, IntrospectionResponseSchema, JwksResponseSchema, TokenResponseSchema, } from './dto/index.js';
+/**
+ * Represents a client for interacting with the Identity OWOX API.
+ * Provides methods for token management, validation, and retrieval of key sets.
+ */
+export class IdentityOwoxClient {
+    http;
+    impersonatedIdTokenFetcher;
+    c2cServiceAccountEmail;
+    c2cTargetAudience;
+    clientBackchannelPrefix;
+    constructor(config) {
+        const timeout = typeof config.clientTimeout === 'number' ? config.clientTimeout : ms(config.clientTimeout);
+        this.http = axios.create({
+            baseURL: config.clientBaseUrl,
+            timeout,
+            headers: {
+                'Content-Type': 'application/json',
+                ...(config.defaultHeaders ?? {}),
+            },
+        });
+        this.clientBackchannelPrefix = config.clientBackchannelPrefix;
+        // Initialize service account authentication if configured
+        if (config.c2cServiceAccountEmail && config.c2cTargetAudience) {
+            this.impersonatedIdTokenFetcher = new ImpersonatedIdTokenFetcher();
+            this.c2cServiceAccountEmail = config.c2cServiceAccountEmail;
+            this.c2cTargetAudience = config.c2cTargetAudience;
+        }
+    }
+    /**
+     * POST /api/idp/token
+     */
+    async getToken(req) {
+        try {
+            const { data } = await this.http.post('/api/idp/token', req);
+            return TokenResponseSchema.parse(data);
+        }
+        catch (err) {
+            if (axios.isAxiosError(err)) {
+                const status = err.response?.status;
+                if (status === 401) {
+                    throw new AuthenticationException('Invalid or expired credentials', {
+                        cause: err,
+                        context: { req },
+                    });
+                }
+                throw new IdpFailedException(`Failed to get token: ${status}`, {
+                    cause: err,
+                    context: { req },
+                });
+            }
+            throw err;
+        }
+    }
+    /**
+     * POST /api/idp/revocation
+     */
+    async revokeToken(req) {
+        const resp = await this.http.post('/api/idp/revocation', req);
+        return { success: resp.status >= 200 && resp.status < 300 };
+    }
+    /**
+     * GET /api/idp/introspection
+     */
+    async introspectToken(req) {
+        const { data } = await this.http.get('/api/idp/introspection', {
+            headers: {
+                Authorization: req.token,
+            },
+        });
+        return IntrospectionResponseSchema.parse(data);
+    }
+    /**
+     * GET /api/idp/projects
+     */
+    async getProjects(accessToken) {
+        const { data } = await this.http.get('/api/idp/projects', {
+            headers: {
+                Authorization: accessToken,
+            },
+        });
+        return ProjectsSchema.parse(data);
+    }
+    /**
+     * GET /api/idp/.well-known/jwks.json
+     */
+    async getJwks() {
+        const { data } = await this.http.get('/api/idp/.well-known/jwks.json');
+        return JwksResponseSchema.parse(data);
+    }
+    /**
+     * Completes auth flow by exchanging user info for a one-time authorization code.
+     * Requires service account authentication for the private internal endpoint.
+     */
+    async completeAuthFlow(request) {
+        if (!this.impersonatedIdTokenFetcher ||
+            !this.c2cServiceAccountEmail ||
+            !this.c2cTargetAudience) {
+            throw new IdpFailedException('Service account authentication is not configured. Cannot complete auth flow.', { context: { hasRequest: Boolean(request) } });
+        }
+        try {
+            const idToken = await this.impersonatedIdTokenFetcher.getIdToken(this.c2cServiceAccountEmail, this.c2cTargetAudience);
+            const { data } = await this.http.post(`${this.clientBackchannelPrefix}/idp/auth-flow/complete`, request, {
+                headers: {
+                    Authorization: `Bearer ${idToken}`,
+                },
+            });
+            // Validate and return response
+            return AuthFlowResponseSchema.parse(data);
+        }
+        catch (err) {
+            if (axios.isAxiosError(err)) {
+                const status = err.response?.status;
+                const responseData = err.response?.data;
+                throw new IdpFailedException(`Failed to complete auth flow: ${status}`, {
+                    cause: err,
+                    context: { request, status, responseData },
+                });
+            }
+            throw err;
+        }
+    }
+}

package/dist/client/dto/authFlowDto.d.ts

@@ -0,0 +1,27 @@
+import { z } from 'zod';
+/** User information and state for auth flow completion. */
+export interface AuthFlowRequest {
+    state: string;
+    userInfo: {
+        uid: string;
+        signinProvider: string;
+        email: string;
+        firstName?: string;
+        lastName?: string;
+        fullName?: string;
+        avatar?: string;
+    };
+}
+/** One-time authorization code response. */
+export interface AuthFlowResponse {
+    code: string;
+}
+/** Validates auth flow response structure. */
+export declare const AuthFlowResponseSchema: z.ZodObject<{
+    code: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    code: string;
+}, {
+    code: string;
+}>;
+//# sourceMappingURL=authFlowDto.d.ts.map

package/dist/client/dto/authFlowDto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authFlowDto.d.ts","sourceRoot":"","sources":["../../../src/client/dto/authFlowDto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,2DAA2D;AAC3D,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE;QACR,GAAG,EAAE,MAAM,CAAC;QACZ,cAAc,EAAE,MAAM,CAAC;QACvB,KAAK,EAAE,MAAM,CAAC;QACd,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;CACH;AAED,4CAA4C;AAC5C,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,8CAA8C;AAC9C,eAAO,MAAM,sBAAsB;;;;;;EAEjC,CAAC"}

package/dist/client/dto/authFlowDto.js

@@ -0,0 +1,5 @@
+import { z } from 'zod';
+/** Validates auth flow response structure. */
+export const AuthFlowResponseSchema = z.object({
+    code: z.string().min(1, 'Authorization code is required'),
+});

package/dist/client/dto/idpOwoxPayloadDto.d.ts

@@ -0,0 +1,29 @@
+import { z } from 'zod';
+/** Payload schema returned by Identity OWOX introspection. */
+export declare const IdpOwoxPayloadSchema: z.ZodObject<{
+    userId: z.ZodString;
+    projectId: z.ZodString;
+    userEmail: z.ZodString;
+    userFullName: z.ZodString;
+    userAvatar: z.ZodNullable<z.ZodString>;
+    roles: z.ZodEffects<z.ZodEffects<z.ZodArray<z.ZodEnum<["admin", "editor", "viewer"]>, "atleastone">, ("admin" | "editor" | "viewer")[], ["admin" | "editor" | "viewer", ...("admin" | "editor" | "viewer")[]]>, ("admin" | "editor" | "viewer")[], unknown>;
+    projectTitle: z.ZodString;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    userId: z.ZodString;
+    projectId: z.ZodString;
+    userEmail: z.ZodString;
+    userFullName: z.ZodString;
+    userAvatar: z.ZodNullable<z.ZodString>;
+    roles: z.ZodEffects<z.ZodEffects<z.ZodArray<z.ZodEnum<["admin", "editor", "viewer"]>, "atleastone">, ("admin" | "editor" | "viewer")[], ["admin" | "editor" | "viewer", ...("admin" | "editor" | "viewer")[]]>, ("admin" | "editor" | "viewer")[], unknown>;
+    projectTitle: z.ZodString;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    userId: z.ZodString;
+    projectId: z.ZodString;
+    userEmail: z.ZodString;
+    userFullName: z.ZodString;
+    userAvatar: z.ZodNullable<z.ZodString>;
+    roles: z.ZodEffects<z.ZodEffects<z.ZodArray<z.ZodEnum<["admin", "editor", "viewer"]>, "atleastone">, ("admin" | "editor" | "viewer")[], ["admin" | "editor" | "viewer", ...("admin" | "editor" | "viewer")[]]>, ("admin" | "editor" | "viewer")[], unknown>;
+    projectTitle: z.ZodString;
+}, z.ZodTypeAny, "passthrough">>;
+export type IdpOwoxPayload = z.infer<typeof IdpOwoxPayloadSchema>;
+//# sourceMappingURL=idpOwoxPayloadDto.d.ts.map

package/dist/client/dto/idpOwoxPayloadDto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"idpOwoxPayloadDto.d.ts","sourceRoot":"","sources":["../../../src/client/dto/idpOwoxPayloadDto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,8DAA8D;AAC9D,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;gCA2BjB,CAAC;AAEjB,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC"}

package/dist/client/dto/idpOwoxPayloadDto.js

@@ -0,0 +1,28 @@
+import { z } from 'zod';
+import { RoleEnum } from '@owox/idp-protocol';
+/** Payload schema returned by Identity OWOX introspection. */
+export const IdpOwoxPayloadSchema = z
+    .object({
+    userId: z.string().min(1, 'userId is required'),
+    projectId: z.string().min(1, 'projectId is required'),
+    userEmail: z.string().email(),
+    userFullName: z.string().min(1, 'userFullName is required'),
+    userAvatar: z.string().url().nullable(),
+    roles: z.preprocess(val => {
+        if (typeof val === 'string') {
+            return val
+                .split(',')
+                .map(r => r.trim().toLowerCase())
+                .filter(Boolean);
+        }
+        if (Array.isArray(val)) {
+            return val.map(r => String(r).trim().toLowerCase()).filter(Boolean);
+        }
+        return [];
+    }, z
+        .array(RoleEnum)
+        .nonempty()
+        .transform(arr => Array.from(new Set(arr)))),
+    projectTitle: z.string().min(1, 'projectTitle is required'),
+})
+    .passthrough();

package/dist/client/dto/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * DTO schema exports for Identity OWOX API.
+ */
+export * from './authFlowDto.js';
+export * from './idpOwoxPayloadDto.js';
+export * from './introspectionDto.js';
+export * from './jwksDto.js';
+export * from './revocationDto.js';
+export * from './tokenDto.js';
+export * from './tokenType.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/client/dto/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/client/dto/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,cAAc,kBAAkB,CAAC;AACjC,cAAc,wBAAwB,CAAC;AACvC,cAAc,uBAAuB,CAAC;AACtC,cAAc,cAAc,CAAC;AAC7B,cAAc,oBAAoB,CAAC;AACnC,cAAc,eAAe,CAAC;AAC9B,cAAc,gBAAgB,CAAC"}

package/dist/client/dto/index.js

@@ -0,0 +1,10 @@
+/**
+ * DTO schema exports for Identity OWOX API.
+ */
+export * from './authFlowDto.js';
+export * from './idpOwoxPayloadDto.js';
+export * from './introspectionDto.js';
+export * from './jwksDto.js';
+export * from './revocationDto.js';
+export * from './tokenDto.js';
+export * from './tokenType.js';

package/dist/client/dto/introspectionDto.d.ts

@@ -0,0 +1,70 @@
+import { z } from 'zod';
+/** Token introspection request payload. */
+export interface IntrospectionRequest {
+    token: string;
+}
+/** Token introspection response schema. */
+export declare const IntrospectionResponseSchema: z.ZodDiscriminatedUnion<"isActive", [z.ZodObject<{
+    userId: z.ZodString;
+    projectId: z.ZodString;
+    userEmail: z.ZodString;
+    userFullName: z.ZodString;
+    userAvatar: z.ZodNullable<z.ZodString>;
+    roles: z.ZodEffects<z.ZodEffects<z.ZodArray<z.ZodEnum<["admin", "editor", "viewer"]>, "atleastone">, ("admin" | "editor" | "viewer")[], ["admin" | "editor" | "viewer", ...("admin" | "editor" | "viewer")[]]>, ("admin" | "editor" | "viewer")[], unknown>;
+    projectTitle: z.ZodString;
+} & {
+    isActive: z.ZodLiteral<true>;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    userId: z.ZodString;
+    projectId: z.ZodString;
+    userEmail: z.ZodString;
+    userFullName: z.ZodString;
+    userAvatar: z.ZodNullable<z.ZodString>;
+    roles: z.ZodEffects<z.ZodEffects<z.ZodArray<z.ZodEnum<["admin", "editor", "viewer"]>, "atleastone">, ("admin" | "editor" | "viewer")[], ["admin" | "editor" | "viewer", ...("admin" | "editor" | "viewer")[]]>, ("admin" | "editor" | "viewer")[], unknown>;
+    projectTitle: z.ZodString;
+} & {
+    isActive: z.ZodLiteral<true>;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    userId: z.ZodString;
+    projectId: z.ZodString;
+    userEmail: z.ZodString;
+    userFullName: z.ZodString;
+    userAvatar: z.ZodNullable<z.ZodString>;
+    roles: z.ZodEffects<z.ZodEffects<z.ZodArray<z.ZodEnum<["admin", "editor", "viewer"]>, "atleastone">, ("admin" | "editor" | "viewer")[], ["admin" | "editor" | "viewer", ...("admin" | "editor" | "viewer")[]]>, ("admin" | "editor" | "viewer")[], unknown>;
+    projectTitle: z.ZodString;
+} & {
+    isActive: z.ZodLiteral<true>;
+}, z.ZodTypeAny, "passthrough">>, z.ZodObject<{
+    [x: string]: z.ZodNull;
+    userId: z.ZodNull;
+    projectId: z.ZodNull;
+    userEmail: z.ZodNull;
+    userFullName: z.ZodNull;
+    userAvatar: z.ZodNull;
+    roles: z.ZodNull;
+    projectTitle: z.ZodNull;
+} & {
+    isActive: z.ZodLiteral<false>;
+}, "strict", z.ZodTypeAny, {
+    [x: string]: null;
+    userId?: unknown;
+    projectId?: unknown;
+    userEmail?: unknown;
+    userFullName?: unknown;
+    userAvatar?: unknown;
+    roles?: unknown;
+    projectTitle?: unknown;
+    isActive?: unknown;
+}, {
+    [x: string]: null;
+    userId?: unknown;
+    projectId?: unknown;
+    userEmail?: unknown;
+    userFullName?: unknown;
+    userAvatar?: unknown;
+    roles?: unknown;
+    projectTitle?: unknown;
+    isActive?: unknown;
+}>]>;
+export type IntrospectionResponse = z.infer<typeof IntrospectionResponseSchema>;
+//# sourceMappingURL=introspectionDto.d.ts.map

package/dist/client/dto/introspectionDto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"introspectionDto.d.ts","sourceRoot":"","sources":["../../../src/client/dto/introspectionDto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,2CAA2C;AAC3C,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;CACf;AAgBD,2CAA2C;AAC3C,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAGtC,CAAC;AAEH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC"}

package/dist/client/dto/introspectionDto.js

@@ -0,0 +1,15 @@
+import { z } from 'zod';
+import { IdpOwoxPayloadSchema } from './idpOwoxPayloadDto.js';
+const ActiveSchema = IdpOwoxPayloadSchema.extend({
+    isActive: z.literal(true),
+});
+const inactiveShape = Object.fromEntries(Object.keys(IdpOwoxPayloadSchema.shape).map(k => [k, z.null()]));
+const InactiveSchema = z
+    .object(inactiveShape)
+    .strict()
+    .extend({ isActive: z.literal(false) });
+/** Token introspection response schema. */
+export const IntrospectionResponseSchema = z.discriminatedUnion('isActive', [
+    ActiveSchema,
+    InactiveSchema,
+]);

package/dist/client/dto/jwksDto.d.ts

@@ -0,0 +1,102 @@
+import { z } from 'zod';
+import { JWK } from 'jose';
+/** JSON Web Key schema used in JWKS responses. */
+export declare const JsonWebKeySchema: z.ZodObject<{
+    kty: z.ZodString;
+    use: z.ZodString;
+    alg: z.ZodString;
+    kid: z.ZodString;
+    n: z.ZodString;
+    e: z.ZodString;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    kty: z.ZodString;
+    use: z.ZodString;
+    alg: z.ZodString;
+    kid: z.ZodString;
+    n: z.ZodString;
+    e: z.ZodString;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    kty: z.ZodString;
+    use: z.ZodString;
+    alg: z.ZodString;
+    kid: z.ZodString;
+    n: z.ZodString;
+    e: z.ZodString;
+}, z.ZodTypeAny, "passthrough">>;
+/** JWKS response schema. */
+export declare const JwksResponseSchema: z.ZodEffects<z.ZodObject<{
+    keys: z.ZodArray<z.ZodObject<{
+        kty: z.ZodString;
+        use: z.ZodString;
+        alg: z.ZodString;
+        kid: z.ZodString;
+        n: z.ZodString;
+        e: z.ZodString;
+    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+        kty: z.ZodString;
+        use: z.ZodString;
+        alg: z.ZodString;
+        kid: z.ZodString;
+        n: z.ZodString;
+        e: z.ZodString;
+    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+        kty: z.ZodString;
+        use: z.ZodString;
+        alg: z.ZodString;
+        kid: z.ZodString;
+        n: z.ZodString;
+        e: z.ZodString;
+    }, z.ZodTypeAny, "passthrough">>, "atleastone">;
+}, "strip", z.ZodTypeAny, {
+    keys: [z.objectOutputType<{
+        kty: z.ZodString;
+        use: z.ZodString;
+        alg: z.ZodString;
+        kid: z.ZodString;
+        n: z.ZodString;
+        e: z.ZodString;
+    }, z.ZodTypeAny, "passthrough">, ...z.objectOutputType<{
+        kty: z.ZodString;
+        use: z.ZodString;
+        alg: z.ZodString;
+        kid: z.ZodString;
+        n: z.ZodString;
+        e: z.ZodString;
+    }, z.ZodTypeAny, "passthrough">[]];
+}, {
+    keys: [z.objectInputType<{
+        kty: z.ZodString;
+        use: z.ZodString;
+        alg: z.ZodString;
+        kid: z.ZodString;
+        n: z.ZodString;
+        e: z.ZodString;
+    }, z.ZodTypeAny, "passthrough">, ...z.objectInputType<{
+        kty: z.ZodString;
+        use: z.ZodString;
+        alg: z.ZodString;
+        kid: z.ZodString;
+        n: z.ZodString;
+        e: z.ZodString;
+    }, z.ZodTypeAny, "passthrough">[]];
+}>, {
+    keys: JWK[];
+}, {
+    keys: [z.objectInputType<{
+        kty: z.ZodString;
+        use: z.ZodString;
+        alg: z.ZodString;
+        kid: z.ZodString;
+        n: z.ZodString;
+        e: z.ZodString;
+    }, z.ZodTypeAny, "passthrough">, ...z.objectInputType<{
+        kty: z.ZodString;
+        use: z.ZodString;
+        alg: z.ZodString;
+        kid: z.ZodString;
+        n: z.ZodString;
+        e: z.ZodString;
+    }, z.ZodTypeAny, "passthrough">[]];
+}>;
+export type JwksResponse = z.infer<typeof JwksResponseSchema>;
+//# sourceMappingURL=jwksDto.d.ts.map

package/dist/client/dto/jwksDto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwksDto.d.ts","sourceRoot":"","sources":["../../../src/client/dto/jwksDto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AAE3B,kDAAkD;AAClD,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;gCASb,CAAC;AAEjB,4BAA4B;AAC5B,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;UAIiB,GAAG,EAAE;;;;;;;;;;;;;;;;;EAAI,CAAC;AAE1D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC"}

package/dist/client/dto/jwksDto.js

@@ -0,0 +1,18 @@
+import { z } from 'zod';
+/** JSON Web Key schema used in JWKS responses. */
+export const JsonWebKeySchema = z
+    .object({
+    kty: z.string(),
+    use: z.string(),
+    alg: z.string(),
+    kid: z.string(),
+    n: z.string(),
+    e: z.string(),
+})
+    .passthrough();
+/** JWKS response schema. */
+export const JwksResponseSchema = z
+    .object({
+    keys: z.array(JsonWebKeySchema).nonempty(),
+})
+    .transform(v => ({ keys: v.keys }));

package/dist/client/dto/revocationDto.d.ts

@@ -0,0 +1,11 @@
+import { TokenType } from './tokenType.js';
+/** Token revocation request payload. */
+export interface RevocationRequest {
+    token: string;
+    tokenType?: TokenType;
+}
+/** Token revocation response payload. */
+export interface RevocationResponse {
+    success: boolean;
+}
+//# sourceMappingURL=revocationDto.d.ts.map

package/dist/client/dto/revocationDto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"revocationDto.d.ts","sourceRoot":"","sources":["../../../src/client/dto/revocationDto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAE3C,wCAAwC;AACxC,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,SAAS,CAAC;CACvB;AAED,yCAAyC;AACzC,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;CAClB"}

package/dist/client/dto/revocationDto.js

@@ -0,0 +1 @@
+export {};