@owox/idp-owox-better-auth 0.18.0

package/dist/index.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Public entry point for idp-owox-better-auth exports.
+ */
+export { createBetterAuthConfig } from './config/idp-better-auth-config.js';
+export { loadBetterAuthProviderConfigFromEnv, loadIdpOwoxConfigFromEnv, type BetterAuthProviderConfig, } from './config/index.js';
+export { OwoxBetterAuthIdp, OwoxBetterAuthIdp as OwoxBetterAuthProvider, OwoxBetterAuthIdp as OwoxIdp, } from './owox-better-auth-idp.js';
+export { BetterAuthSessionService } from './services/auth/better-auth-session-service.js';
+export { MiddlewareService } from './services/middleware/middleware-service.js';
+export { RequestHandlerService } from './services/middleware/request-handler-service.js';
+export { PageService } from './services/rendering/page-service.js';
+export { TemplateService } from './services/rendering/template-service.js';
+export type { BetterAuthConfig, DatabaseConfig, MySqlConfig, SqliteConfig } from './types/index.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,oCAAoC,CAAC;AAC5E,OAAO,EACL,mCAAmC,EACnC,wBAAwB,EACxB,KAAK,wBAAwB,GAC9B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,iBAAiB,EACjB,iBAAiB,IAAI,sBAAsB,EAC3C,iBAAiB,IAAI,OAAO,GAC7B,MAAM,2BAA2B,CAAC;AAGnC,OAAO,EAAE,wBAAwB,EAAE,MAAM,gDAAgD,CAAC;AAC1F,OAAO,EAAE,iBAAiB,EAAE,MAAM,6CAA6C,CAAC;AAChF,OAAO,EAAE,qBAAqB,EAAE,MAAM,kDAAkD,CAAC;AACzF,OAAO,EAAE,WAAW,EAAE,MAAM,sCAAsC,CAAC;AACnE,OAAO,EAAE,eAAe,EAAE,MAAM,0CAA0C,CAAC;AAG3E,YAAY,EAAE,gBAAgB,EAAE,cAAc,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/index.js

@@ -0,0 +1,13 @@
+/**
+ * Public entry point for idp-owox-better-auth exports.
+ */
+// Main Auth exports
+export { createBetterAuthConfig } from './config/idp-better-auth-config.js';
+export { loadBetterAuthProviderConfigFromEnv, loadIdpOwoxConfigFromEnv, } from './config/index.js';
+export { OwoxBetterAuthIdp, OwoxBetterAuthIdp as OwoxBetterAuthProvider, OwoxBetterAuthIdp as OwoxIdp, } from './owox-better-auth-idp.js';
+// Services
+export { BetterAuthSessionService } from './services/auth/better-auth-session-service.js';
+export { MiddlewareService } from './services/middleware/middleware-service.js';
+export { RequestHandlerService } from './services/middleware/request-handler-service.js';
+export { PageService } from './services/rendering/page-service.js';
+export { TemplateService } from './services/rendering/template-service.js';

package/dist/jwt/jwksCache.d.ts

@@ -0,0 +1,24 @@
+import { createLocalJWKSet, JWK } from 'jose';
+/** JWKS payload structure. */
+export interface JWKSet {
+    keys: JWK[];
+}
+/** Async loader for JWKS keys. */
+export interface JwksFetcher {
+    (): Promise<JWKSet>;
+}
+interface CacheEntry {
+    jwks: JWKSet;
+    keyResolver: ReturnType<typeof createLocalJWKSet>;
+    exp: number;
+    inflight?: Promise<CacheEntry>;
+}
+/**
+ * Creates an in-memory JWKS cache with refresh support.
+ */
+export declare function makeJwksCache(fetchJwks: JwksFetcher, key: string): {
+    get: (ttlMs: number) => Promise<CacheEntry>;
+    refresh: (ttlMs: number) => Promise<CacheEntry>;
+};
+export {};
+//# sourceMappingURL=jwksCache.d.ts.map

package/dist/jwt/jwksCache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwksCache.d.ts","sourceRoot":"","sources":["../../src/jwt/jwksCache.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AAE9C,8BAA8B;AAC9B,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE,GAAG,EAAE,CAAC;CACb;AAED,kCAAkC;AAClC,MAAM,WAAW,WAAW;IAC1B,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CACrB;AAED,UAAU,UAAU;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,UAAU,CAAC,OAAO,iBAAiB,CAAC,CAAC;IAClD,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;CAChC;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,WAAW,EAAE,GAAG,EAAE,MAAM;iBA2BrC,MAAM,KAAG,OAAO,CAAC,UAAU,CAAC;qBAMxB,MAAM;EAKrC"}

package/dist/jwt/jwksCache.js

@@ -0,0 +1,41 @@
+import { createLocalJWKSet } from 'jose';
+/**
+ * Creates an in-memory JWKS cache with refresh support.
+ */
+export function makeJwksCache(fetchJwks, key) {
+    const cache = new Map();
+    async function load(ttlMs) {
+        const existing = cache.get(key);
+        if (existing?.inflight)
+            return existing.inflight;
+        const inflight = (async () => {
+            const jwks = await fetchJwks();
+            const cacheEntry = {
+                jwks,
+                keyResolver: createLocalJWKSet(jwks),
+                exp: Date.now() + ttlMs,
+            };
+            cache.set(key, cacheEntry);
+            return cacheEntry;
+        })();
+        cache.set(key, { ...(existing ?? {}), inflight });
+        try {
+            return await inflight;
+        }
+        finally {
+            const cacheEntry = cache.get(key);
+            if (cacheEntry)
+                cacheEntry.inflight = undefined;
+        }
+    }
+    async function get(ttlMs) {
+        const cacheEntry = cache.get(key);
+        if (!cacheEntry || cacheEntry.exp <= Date.now())
+            return load(ttlMs);
+        return cacheEntry;
+    }
+    async function refresh(ttlMs) {
+        return load(ttlMs);
+    }
+    return { get, refresh };
+}

package/dist/jwt/parseToken.d.ts

@@ -0,0 +1,15 @@
+import { Payload } from '@owox/idp-protocol';
+import ms from 'ms';
+import { IdentityOwoxClient } from '../client/index.js';
+/** Configuration for JWT parsing and verification. */
+export interface ParseTokenConfig {
+    jwtKeyCacheTtl: ms.StringValue;
+    clockTolerance: string | number;
+    expectedIss: string;
+    algorithm: string;
+}
+/**
+ * Parses and verifies a JWT using JWKS from Identity OWOX.
+ */
+export declare function parseToken(token: string, client: IdentityOwoxClient, config: ParseTokenConfig): Promise<Payload>;
+//# sourceMappingURL=parseToken.d.ts.map

package/dist/jwt/parseToken.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parseToken.d.ts","sourceRoot":"","sources":["../../src/jwt/parseToken.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAGxD,sDAAsD;AACtD,MAAM,WAAW,gBAAgB;IAC/B,cAAc,EAAE,EAAE,CAAC,WAAW,CAAC;IAC/B,cAAc,EAAE,MAAM,GAAG,MAAM,CAAC;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,wBAAsB,UAAU,CAC9B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,kBAAkB,EAC1B,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,OAAO,CAAC,CA0BlB"}

package/dist/jwt/parseToken.js

@@ -0,0 +1,26 @@
+import { decodeProtectedHeader } from 'jose';
+import { makeJwksCache } from './jwksCache.js';
+import { verify } from './verifyJwt.js';
+import ms from 'ms';
+import { toPayload } from '../mappers/client-payload-mapper.js';
+/**
+ * Parses and verifies a JWT using JWKS from Identity OWOX.
+ */
+export async function parseToken(token, client, config) {
+    const { alg } = decodeProtectedHeader(token);
+    if (alg && alg !== config.algorithm) {
+        throw new Error(`Unsupported JWT alg: ${alg}`);
+    }
+    const fetchJwks = async () => {
+        const resp = await client.getJwks();
+        return { keys: resp.keys };
+    };
+    const cacheKey = 'JWKS_KEYS';
+    const cache = makeJwksCache(fetchJwks, cacheKey);
+    const { payload } = await verify(token, async () => (await cache.get(ms(config.jwtKeyCacheTtl))).keyResolver, async () => (await cache.refresh(ms(config.jwtKeyCacheTtl))).keyResolver, {
+        algorithm: config.algorithm,
+        clockTolerance: config.clockTolerance,
+        issuer: config.expectedIss,
+    });
+    return toPayload(payload);
+}

package/dist/jwt/verifyJwt.d.ts

@@ -0,0 +1,13 @@
+import { createLocalJWKSet } from 'jose';
+/** Configuration for JWT verification. */
+interface verifyConfig {
+    algorithm: string;
+    clockTolerance: string | number;
+    issuer: string;
+}
+/**
+ * Verifies a JWT with optional JWKS refresh on key mismatch.
+ */
+export declare function verify(token: string, getKeyResolver: () => Promise<ReturnType<typeof createLocalJWKSet>>, refreshKeyResolver: () => Promise<ReturnType<typeof createLocalJWKSet>>, config: verifyConfig): Promise<import("jose").JWTVerifyResult<import("jose").JWTPayload> & import("jose").ResolvedKey>;
+export {};
+//# sourceMappingURL=verifyJwt.d.ts.map

package/dist/jwt/verifyJwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyJwt.d.ts","sourceRoot":"","sources":["../../src/jwt/verifyJwt.ts"],"names":[],"mappings":"AAAA,OAAO,EAAa,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAIpD,0CAA0C;AAC1C,UAAU,YAAY;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,GAAG,MAAM,CAAC;IAChC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,wBAAsB,MAAM,CAC1B,KAAK,EAAE,MAAM,EACb,cAAc,EAAE,MAAM,OAAO,CAAC,UAAU,CAAC,OAAO,iBAAiB,CAAC,CAAC,EACnE,kBAAkB,EAAE,MAAM,OAAO,CAAC,UAAU,CAAC,OAAO,iBAAiB,CAAC,CAAC,EACvE,MAAM,EAAE,YAAY,mGAmBrB"}

package/dist/jwt/verifyJwt.js

@@ -0,0 +1,23 @@
+import { jwtVerify } from 'jose';
+import { JWKSNoMatchingKey, JWSSignatureVerificationFailed } from 'jose/errors';
+/**
+ * Verifies a JWT with optional JWKS refresh on key mismatch.
+ */
+export async function verify(token, getKeyResolver, refreshKeyResolver, config) {
+    const jwtVerifyOptions = {
+        algorithms: [config.algorithm],
+        clockTolerance: config.clockTolerance,
+        issuer: config.issuer,
+    };
+    try {
+        const key = await getKeyResolver();
+        return await jwtVerify(token, key, jwtVerifyOptions);
+    }
+    catch (err) {
+        const shouldRefreshKey = err instanceof JWKSNoMatchingKey || err instanceof JWSSignatureVerificationFailed;
+        if (!shouldRefreshKey)
+            throw err;
+        const keyAfterReload = await refreshKeyResolver();
+        return await jwtVerify(token, keyAfterReload, jwtVerifyOptions);
+    }
+}

package/dist/mappers/client-payload-mapper.d.ts

@@ -0,0 +1,6 @@
+import { Payload } from '@owox/idp-protocol';
+/**
+ * Maps Identity OWOX payloads into idp-protocol payloads.
+ */
+export declare function toPayload(input: unknown): Payload;
+//# sourceMappingURL=client-payload-mapper.d.ts.map

package/dist/mappers/client-payload-mapper.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-payload-mapper.d.ts","sourceRoot":"","sources":["../../src/mappers/client-payload-mapper.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAiB,MAAM,oBAAoB,CAAC;AAY5D;;GAEG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAEjD"}

package/dist/mappers/client-payload-mapper.js

@@ -0,0 +1,17 @@
+import { IdpOwoxPayloadSchema } from '../client/index.js';
+import { PayloadSchema } from '@owox/idp-protocol';
+const IdpOwoxToPayloadSchema = IdpOwoxPayloadSchema.transform((src) => ({
+    userId: src.userId,
+    projectId: src.projectId,
+    email: src.userEmail,
+    fullName: src.userFullName,
+    avatar: src.userAvatar ?? undefined,
+    roles: src.roles,
+    projectTitle: src.projectTitle,
+})).pipe(PayloadSchema);
+/**
+ * Maps Identity OWOX payloads into idp-protocol payloads.
+ */
+export function toPayload(input) {
+    return IdpOwoxToPayloadSchema.parse(input);
+}

package/dist/mappers/user-info-payload-builder.d.ts

@@ -0,0 +1,11 @@
+import type { UserInfoPayload } from '../services/auth/platform-auth-flow-client.js';
+import type { DatabaseAccount, DatabaseUser } from '../types/database-models.js';
+/**
+ * Builds the auth-flow payload from DB user and account data.
+ */
+export declare function buildUserInfoPayload(params: {
+    state: string;
+    user: DatabaseUser;
+    account: DatabaseAccount;
+}): UserInfoPayload;
+//# sourceMappingURL=user-info-payload-builder.d.ts.map

package/dist/mappers/user-info-payload-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-info-payload-builder.d.ts","sourceRoot":"","sources":["../../src/mappers/user-info-payload-builder.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,+CAA+C,CAAC;AACrF,OAAO,KAAK,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAGjF;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE;IAC3C,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,YAAY,CAAC;IACnB,OAAO,EAAE,eAAe,CAAC;CAC1B,GAAG,eAAe,CAqBlB"}

package/dist/mappers/user-info-payload-builder.js

@@ -0,0 +1,28 @@
+import { splitName } from '../utils/string-utils.js';
+/**
+ * Builds the auth-flow payload from DB user and account data.
+ */
+export function buildUserInfoPayload(params) {
+    const email = params.user.email;
+    if (!email) {
+        throw new Error('Email not found in DB');
+    }
+    const { firstName, lastName, fullName } = splitName(params.user.name);
+    const avatar = params.user.image ?? undefined;
+    return {
+        state: params.state,
+        userInfo: {
+            uid: params.account.accountId,
+            signinProvider: params.account.providerId,
+            email,
+            firstName: toOptional(firstName),
+            lastName: toOptional(lastName),
+            fullName: toOptional(fullName),
+            avatar,
+        },
+    };
+}
+function toOptional(value) {
+    const trimmed = value?.trim();
+    return trimmed ? trimmed : undefined;
+}

package/dist/owox-better-auth-idp.d.ts

@@ -0,0 +1,40 @@
+import { AuthResult, IdpProvider, Payload, Projects } from '@owox/idp-protocol';
+import e, { Express, NextFunction } from 'express';
+import type { BetterAuthProviderConfig } from './config/index.js';
+/**
+ * Main IdP implementation that wires core PKCE flow and Better Auth.
+ */
+export declare class OwoxBetterAuthIdp implements IdpProvider {
+    private readonly config;
+    private readonly auth;
+    private readonly store;
+    private readonly requestHandlerService;
+    private readonly pageService;
+    private readonly betterAuthSessionService;
+    private readonly middlewareService;
+    private readonly identityClient;
+    private readonly logger;
+    private readonly tokenFacade;
+    private readonly userContextService;
+    private readonly platformAuthFlowClient;
+    private readonly pkceFlowOrchestrator;
+    private constructor();
+    static create(config: BetterAuthProviderConfig): Promise<OwoxBetterAuthIdp>;
+    initialize(): Promise<void>;
+    registerRoutes(app: Express): void;
+    signInMiddleware(req: e.Request, res: e.Response, next: NextFunction): Promise<void | e.Response>;
+    signUpMiddleware(req: e.Request, res: e.Response, _next: NextFunction): Promise<void | e.Response>;
+    signOutMiddleware(req: e.Request, res: e.Response, _next: NextFunction): Promise<void | e.Response>;
+    userApiMiddleware(req: e.Request, res: e.Response, _next: NextFunction): Promise<e.Response<Payload>>;
+    projectsApiMiddleware(req: e.Request, res: e.Response, _next: NextFunction): Promise<e.Response<Projects>>;
+    introspectToken(token: string): Promise<Payload | null>;
+    parseToken(token: string): Promise<Payload | null>;
+    verifyToken(token: string): Promise<Payload | null>;
+    refreshToken(refreshToken: string): Promise<AuthResult>;
+    revokeToken(token: string): Promise<void>;
+    accessTokenMiddleware(req: e.Request, res: e.Response, _next: NextFunction): Promise<void | e.Response>;
+    shutdown(): Promise<void>;
+    isHealthy(): Promise<boolean>;
+    private redirectToPlatform;
+}
+//# sourceMappingURL=owox-better-auth-idp.d.ts.map

package/dist/owox-better-auth-idp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"owox-better-auth-idp.d.ts","sourceRoot":"","sources":["../src/owox-better-auth-idp.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,EAAiB,MAAM,oBAAoB,CAAC;AAG/F,OAAO,CAAC,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAGnD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,mBAAmB,CAAC;AAwBlE;;GAEG;AACH,qBAAa,iBAAkB,YAAW,WAAW;IAiBjD,OAAO,CAAC,QAAQ,CAAC,MAAM;IAhBzB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAqD;IAC1E,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAwB;IAC9D,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAc;IAC1C,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAA2B;IACpE,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAoB;IACtD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAqB;IACpD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAkB;IAC9C,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAqB;IACxD,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAyB;IAChE,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAuB;IAE5D,OAAO;WA0CM,MAAM,CAAC,MAAM,EAAE,wBAAwB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAS3E,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAOjC,cAAc,CAAC,GAAG,EAAE,OAAO,GAAG,IAAI;IA2D5B,gBAAgB,CACpB,GAAG,EAAE,CAAC,CAAC,OAAO,EACd,GAAG,EAAE,CAAC,CAAC,QAAQ,EACf,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC;IAmDvB,gBAAgB,CACpB,GAAG,EAAE,CAAC,CAAC,OAAO,EACd,GAAG,EAAE,CAAC,CAAC,QAAQ,EACf,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC;IAevB,iBAAiB,CACrB,GAAG,EAAE,CAAC,CAAC,OAAO,EACd,GAAG,EAAE,CAAC,CAAC,QAAQ,EACf,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC;IAYvB,iBAAiB,CACrB,GAAG,EAAE,CAAC,CAAC,OAAO,EACd,GAAG,EAAE,CAAC,CAAC,QAAQ,EACf,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAczB,qBAAqB,CACzB,GAAG,EAAE,CAAC,CAAC,OAAO,EACd,GAAG,EAAE,CAAC,CAAC,QAAQ,EACf,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAW1B,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAIvD,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAIlD,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAInD,YAAY,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAIvD,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIzC,qBAAqB,CACzB,GAAG,EAAE,CAAC,CAAC,OAAO,EACd,GAAG,EAAE,CAAC,CAAC,QAAQ,EACf,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC;IAIvB,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;IAYzB,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC;YAIrB,kBAAkB;CAcjC"}

package/dist/owox-better-auth-idp.js

@@ -0,0 +1,239 @@
+import { ProtocolRoute } from '@owox/idp-protocol';
+import { LoggerFactory } from '@owox/internal-helpers';
+import cookieParser from 'cookie-parser';
+import e from 'express';
+import { IdentityOwoxClient } from './client/index.js';
+import { createBetterAuthConfig } from './config/idp-better-auth-config.js';
+import { CORE_REFRESH_TOKEN_COOKIE, SOURCE } from './core/constants.js';
+import { AuthenticationException, IdpFailedException } from './core/exceptions.js';
+import { OwoxTokenFacade } from './facades/owox-token-facade.js';
+import { BetterAuthSessionService } from './services/auth/better-auth-session-service.js';
+import { PkceFlowOrchestrator } from './services/auth/pkce-flow-orchestrator.js';
+import { PlatformAuthFlowClient } from './services/auth/platform-auth-flow-client.js';
+import { UserContextService } from './services/core/user-context-service.js';
+import { MiddlewareService } from './services/middleware/middleware-service.js';
+import { RequestHandlerService } from './services/middleware/request-handler-service.js';
+import { PageService } from './services/rendering/page-service.js';
+import { createDatabaseStore } from './store/database-store-factory.js';
+import { clearCookie } from './utils/cookie-policy.js';
+import { buildPlatformEntryUrl } from './utils/platform-redirect-builder.js';
+import { clearBetterAuthCookies, clearPlatformCookies, extractPlatformParams, extractRefreshToken, getStateManager, } from './utils/request-utils.js';
+import { formatError } from './utils/string-utils.js';
+/**
+ * Main IdP implementation that wires core PKCE flow and Better Auth.
+ */
+export class OwoxBetterAuthIdp {
+    config;
+    auth;
+    store;
+    requestHandlerService;
+    pageService;
+    betterAuthSessionService;
+    middlewareService;
+    identityClient;
+    logger;
+    tokenFacade;
+    userContextService;
+    platformAuthFlowClient;
+    pkceFlowOrchestrator;
+    constructor(auth, store, config) {
+        this.config = config;
+        this.auth = auth;
+        this.store = store;
+        this.identityClient = new IdentityOwoxClient(config.idpOwox.identityOwoxClientConfig);
+        this.logger = LoggerFactory.createNamedLogger('OwoxBetterAuthIdp');
+        this.tokenFacade = new OwoxTokenFacade(this.identityClient, this.store, this.config.idpOwox, this.logger, CORE_REFRESH_TOKEN_COOKIE);
+        this.userContextService = new UserContextService(this.store, this.tokenFacade, this.logger);
+        this.platformAuthFlowClient = new PlatformAuthFlowClient(this.identityClient);
+        this.betterAuthSessionService = new BetterAuthSessionService(this.auth, this.store, this.platformAuthFlowClient);
+        this.pkceFlowOrchestrator = new PkceFlowOrchestrator(this.config.idpOwox, this.tokenFacade, this.userContextService, this.platformAuthFlowClient, this.betterAuthSessionService, this.logger);
+        this.requestHandlerService = new RequestHandlerService(this.auth, this.pkceFlowOrchestrator);
+        this.pageService = new PageService();
+        this.middlewareService = new MiddlewareService(this.pageService, this.config.idpOwox, this.store, this.pkceFlowOrchestrator);
+    }
+    static async create(config) {
+        const store = createDatabaseStore(config.idpOwox.dbConfig);
+        const adapter = await store.getAdapter();
+        const auth = await createBetterAuthConfig(config.betterAuth, {
+            adapter,
+        });
+        return new OwoxBetterAuthIdp(auth, store, config);
+    }
+    async initialize() {
+        const { getMigrations } = await import('better-auth/db');
+        const { runMigrations } = await getMigrations(this.auth.options);
+        await this.store.initialize();
+        await runMigrations();
+    }
+    registerRoutes(app) {
+        app.use(e.json());
+        app.use(e.urlencoded({ extended: true }));
+        app.use(cookieParser());
+        this.requestHandlerService.setupBetterAuthHandler(app);
+        this.pageService.registerRoutes(app);
+        app.get('/auth/idp-start', this.middlewareService.idpStartMiddleware.bind(this.middlewareService));
+        // Core callback route (PKCE code exchange)
+        app.get('/auth/callback', async (req, res) => {
+            const code = req.query.code;
+            const state = req.query.state;
+            if (!code) {
+                this.logger.warn('Redirect url should contain code param');
+                return res.redirect(`/auth${ProtocolRoute.SIGN_IN}`);
+            }
+            if (!state) {
+                this.logger.warn('Redirect url should contain state param');
+                clearPlatformCookies(res, req);
+                return res.redirect(`/auth${ProtocolRoute.SIGN_IN}`);
+            }
+            try {
+                const response = await this.tokenFacade.changeAuthCode(code, state);
+                this.tokenFacade.setTokenToCookie(res, req, response.refreshToken, response.refreshTokenExpiresIn);
+                res.redirect('/');
+            }
+            catch (error) {
+                if (error instanceof AuthenticationException) {
+                    this.logger.info(formatError(error), {
+                        context: error.name,
+                        params: error.context,
+                        cause: error.cause,
+                    });
+                }
+                else if (error instanceof IdpFailedException) {
+                    this.logger.error('Token Exchange callback failed with unexpected code', error.context, error.cause);
+                }
+                else {
+                    this.logger.error(formatError(error));
+                }
+                return res.redirect(`/auth${ProtocolRoute.SIGN_IN}`);
+            }
+        });
+    }
+    async signInMiddleware(req, res, next) {
+        const stateManager = getStateManager(req);
+        const queryState = typeof req.query?.state === 'string' ? req.query.state : '';
+        const projectId = typeof req.query?.projectId === 'string' ? req.query.projectId : '';
+        const refreshToken = extractRefreshToken(req);
+        if (stateManager.hasMismatch()) {
+            this.logger.warn('State mismatch detected during sign-in');
+            clearPlatformCookies(res, req);
+            return this.redirectToPlatform(req, res, this.config.idpOwox.idpConfig.platformSignInUrl);
+        }
+        if (!queryState) {
+            if (projectId && refreshToken) {
+                return this.middlewareService.idpStartMiddleware(req, res);
+            }
+            if (refreshToken) {
+                try {
+                    const auth = await this.tokenFacade.refreshToken(refreshToken);
+                    if (auth.refreshToken && auth.refreshTokenExpiresIn !== undefined) {
+                        this.tokenFacade.setTokenToCookie(res, req, auth.refreshToken, auth.refreshTokenExpiresIn);
+                    }
+                    return res.redirect('/');
+                }
+                catch (error) {
+                    if (error instanceof AuthenticationException) {
+                        clearCookie(res, CORE_REFRESH_TOKEN_COOKIE, req);
+                        this.logger.warn('Refresh token rejected during sign-in, cookie cleared', {
+                            context: error.context,
+                            cause: error.cause,
+                        });
+                    }
+                    else if (error instanceof IdpFailedException) {
+                        this.logger.warn('Sign-in refresh failed due to upstream IdP error', {
+                            context: error.context,
+                            cause: error.cause,
+                        });
+                    }
+                    else {
+                        this.logger.error(formatError(error));
+                    }
+                }
+            }
+            return this.redirectToPlatform(req, res, this.config.idpOwox.idpConfig.platformSignInUrl);
+        }
+        stateManager.persist(res, queryState);
+        return this.middlewareService.signInMiddleware(req, res, next);
+    }
+    async signUpMiddleware(req, res, _next) {
+        const stateManager = getStateManager(req);
+        const queryState = typeof req.query?.state === 'string' ? req.query.state : '';
+        if (stateManager.hasMismatch()) {
+            this.logger.warn('State mismatch detected during sign-up');
+            clearPlatformCookies(res, req);
+            return this.redirectToPlatform(req, res, this.config.idpOwox.idpConfig.platformSignUpUrl);
+        }
+        if (!queryState) {
+            return this.redirectToPlatform(req, res, this.config.idpOwox.idpConfig.platformSignUpUrl);
+        }
+        stateManager.persist(res, queryState);
+        return this.middlewareService.signUpMiddleware(req, res, _next);
+    }
+    async signOutMiddleware(req, res, _next) {
+        const refreshToken = extractRefreshToken(req);
+        if (refreshToken) {
+            await this.revokeToken(refreshToken);
+        }
+        clearCookie(res, CORE_REFRESH_TOKEN_COOKIE, req);
+        clearBetterAuthCookies(res, req);
+        const redirectUrl = this.config.idpOwox.idpConfig.signOutRedirectUrl ?? `/auth${ProtocolRoute.SIGN_IN}`;
+        res.redirect(redirectUrl);
+    }
+    async userApiMiddleware(req, res, _next) {
+        const accessToken = req.headers['x-owox-authorization'];
+        if (!accessToken) {
+            return res.status(401).json({ message: 'Unauthorized', reason: 'uam1' });
+        }
+        const payload = await this.parseToken(accessToken);
+        if (!payload) {
+            return res.status(401).json({ message: 'Unauthorized', reason: 'uam2' });
+        }
+        return res.json(payload);
+    }
+    async projectsApiMiddleware(req, res, _next) {
+        const accessToken = req.headers['x-owox-authorization'];
+        if (!accessToken) {
+            return res.status(401).json({ message: 'Unauthorized', reason: 'pam1' });
+        }
+        const projects = await this.identityClient.getProjects(accessToken);
+        return res.json(projects);
+    }
+    async introspectToken(token) {
+        return this.tokenFacade.introspectToken(token);
+    }
+    async parseToken(token) {
+        return this.tokenFacade.parseToken(token);
+    }
+    async verifyToken(token) {
+        return this.tokenFacade.verifyToken(token);
+    }
+    async refreshToken(refreshToken) {
+        return this.tokenFacade.refreshToken(refreshToken);
+    }
+    async revokeToken(token) {
+        await this.tokenFacade.revokeToken(token);
+    }
+    async accessTokenMiddleware(req, res, _next) {
+        return this.tokenFacade.accessTokenMiddleware(req, res, _next);
+    }
+    async shutdown() {
+        try {
+            await this.store.shutdown();
+        }
+        catch (error) {
+            LoggerFactory.createNamedLogger('OwoxBetterAuthIdp').error('Failed to shutdown BetterAuth store', {}, error);
+        }
+    }
+    async isHealthy() {
+        return this.store.isHealthy();
+    }
+    async redirectToPlatform(req, res, authUrl) {
+        const params = extractPlatformParams(req);
+        const platformUrl = buildPlatformEntryUrl({
+            authUrl,
+            params,
+            defaultSource: SOURCE.APP,
+            allowedRedirectOrigins: this.config.idpOwox.idpConfig.allowedRedirectOrigins,
+        });
+        return res.redirect(platformUrl.toString());
+    }
+}

package/dist/resources/templates/layouts/auth.ejs

@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html lang="en">
+<%- include('../partials/head', { pageTitle }) %>
+<body class="min-h-screen bg-background flex items-center justify-center p-4">
+  <!-- Split Panel Container -->
+  <div class="w-full max-w-5xl">
+    <!-- Page Header (above split panel) -->
+    <%- include('../partials/header', { heading }) %>
+    
+    <!-- Split Panel Layout -->
+    <div class="mt-8 grid grid-cols-1 lg:grid-cols-2 gap-0 shadow-xl rounded-lg overflow-hidden border border-border min-h-[400px]">
+      <!-- Left Panel - Brand -->
+      <div class="hidden lg:block">
+        <%- include('../partials/brand-panel') %>
+      </div>
+      
+      <!-- Right Panel - Content -->
+      <div class="bg-card p-8 lg:p-12 flex items-center justify-center">
+        <div class="w-full max-w-md">
+          <%- body %>
+        </div>
+      </div>
+    </div>
+    
+    <!-- Footer -->
+    <%- include('../partials/footer') %>
+  </div>
+</body>
+</html>

package/dist/resources/templates/pages/sign-in.ejs

@@ -0,0 +1,66 @@
+<!-- Sign In Content -->
+<div class="space-y-6">
+  <!-- Message -->
+  <p class="text-center text-sm text-muted-foreground">
+    Be confident that your data is protected by Google's infrastructure security standards.
+  </p>
+
+  <!-- Sign in button -->
+  <button
+    id="google-signin"
+    type="button"
+    class="w-full inline-flex justify-center items-center gap-2 py-2 px-4 border border-border rounded-md text-sm font-medium text-foreground bg-background hover:bg-muted transition-colors"
+  >
+    <svg xmlns="http://www.w3.org/2000/svg" class="w-5 h-5" x="0px" y="0px" width="100" height="100" viewBox="0 0 48 48">
+      <path fill="#FFC107" d="M43.611,20.083H42V20H24v8h11.303c-1.649,4.657-6.08,8-11.303,8c-6.627,0-12-5.373-12-12c0-6.627,5.373-12,12-12c3.059,0,5.842,1.154,7.961,3.039l5.657-5.657C34.046,6.053,29.268,4,24,4C12.955,4,4,12.955,4,24c0,11.045,8.955,20,20,20c11.045,0,20-8.955,20-20C44,22.659,43.862,21.35,43.611,20.083z"></path><path fill="#FF3D00" d="M6.306,14.691l6.571,4.819C14.655,15.108,18.961,12,24,12c3.059,0,5.842,1.154,7.961,3.039l5.657-5.657C34.046,6.053,29.268,4,24,4C16.318,4,9.656,8.337,6.306,14.691z"></path><path fill="#4CAF50" d="M24,44c5.166,0,9.86-1.977,13.409-5.192l-6.19-5.238C29.211,35.091,26.715,36,24,36c-5.202,0-9.619-3.317-11.283-7.946l-6.522,5.025C9.505,39.556,16.227,44,24,44z"></path><path fill="#1976D2" d="M43.611,20.083H42V20H24v8h11.303c-0.792,2.237-2.231,4.166-4.087,5.571c0.001-0.001,0.002-0.001,0.003-0.002l6.19,5.238C36.971,39.205,44,34,44,24C44,22.659,43.862,21.35,43.611,20.083z"></path>
+    </svg>
+    <span>Sign in with Google</span>
+  </button>
+
+  <!-- Sign up link -->
+  <p class="text-center text-sm text-muted-foreground">
+    Don't have an account?
+    <a href="/auth/sign-up" class="font-medium text-primary hover:text-primary/80">Create one</a>
+  </p>
+</div>
+
+<script>
+  const urlParams = new URLSearchParams(window.location.search);
+  const redirect = urlParams.get('redirect');
+  const googleButton = document.getElementById('google-signin');
+
+  async function submitSocial(provider) {
+    const callbackURL = redirect || '/';
+    try {
+      const response = await fetch('/auth/better-auth/sign-in/social', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ provider, callbackURL }),
+        redirect: 'follow',
+      });
+
+      if (response.redirected) {
+        window.location.href = response.url;
+        return;
+      }
+
+      const contentType = response.headers.get('content-type') || '';
+      if (contentType.includes('application/json')) {
+        const data = await response.json();
+        if (data?.url) {
+          window.location.href = data.url;
+          return;
+        }
+      }
+
+      // Fallback: reload to let server set cookies if any
+      window.location.reload();
+    } catch (error) {
+      console.error('Social sign-in failed', error);
+    }
+  }
+
+  googleButton?.addEventListener('click', () => submitSocial('google'));
+</script>