@owox/idp-owox-better-auth 0.18.0

package/dist/resources/templates/pages/sign-up.ejs

@@ -0,0 +1,65 @@
+<!-- Sign Up Content -->
+<div class="space-y-6">
+  <!-- Message -->
+  <p class="text-center text-sm text-muted-foreground">
+    Be confident that your data is protected by Google's infrastructure security standards.
+  </p>
+
+  <!-- Sign up button -->
+  <button
+    id="google-signup"
+    type="button"
+    class="w-full inline-flex justify-center items-center gap-2 py-2 px-4 border border-border rounded-md text-sm font-medium text-foreground bg-background hover:bg-muted transition-colors"
+  >
+    <svg xmlns="http://www.w3.org/2000/svg" class="w-5 h-5" x="0px" y="0px" viewBox="0 0 48 48">
+      <path fill="#FFC107" d="M43.611,20.083H42V20H24v8h11.303c-1.649,4.657-6.08,8-11.303,8c-6.627,0-12-5.373-12-12c0-6.627,5.373-12,12-12c3.059,0,5.842,1.154,7.961,3.039l5.657-5.657C34.046,6.053,29.268,4,24,4C12.955,4,4,12.955,4,24c0,11.045,8.955,20,20,20c11.045,0,20-8.955,20-20C44,22.659,43.862,21.35,43.611,20.083z"></path><path fill="#FF3D00" d="M6.306,14.691l6.571,4.819C14.655,15.108,18.961,12,24,12c3.059,0,5.842,1.154,7.961,3.039l5.657-5.657C34.046,6.053,29.268,4,24,4C16.318,4,9.656,8.337,6.306,14.691z"></path>
+      <path fill="#4CAF50" d="M24,44c5.166,0,9.86-1.977,13.409-5.192l-6.19-5.238C29.211,35.091,26.715,36,24,36c-5.202,0-9.619-3.317-11.283-7.946l-6.522,5.025C9.505,39.556,16.227,44,24,44z"></path>
+      <path fill="#1976D2" d="M43.611,20.083H42V20H24v8h11.303c-0.792,2.237-2.231,4.166-4.087,5.571c0.001-0.001,0.002-0.001,0.003-0.002l6.19,5.238C36.971,39.205,44,34,44,24C44,22.659,43.862,21.35,43.611,20.083z"></path>
+    </svg>
+    <span>Sign up with Google</span>
+  </button>
+
+  <!-- Sign in link -->
+  <p class="text-center text-sm text-muted-foreground">
+    Already have an account?
+    <a href="/auth/sign-in" class="font-medium text-primary hover:text-primary/80">Sign in</a>
+  </p>
+</div>
+
+<script>
+  const urlParams = new URLSearchParams(window.location.search);
+  const redirectValue = urlParams.get('redirect') || '/';
+  const googleButton = document.getElementById('google-signup');
+  const redirectTarget = redirectValue || '/';
+
+  async function startSocial(provider) {
+    try {
+      const response = await fetch('/auth/better-auth/sign-in/social', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ provider, callbackURL: redirectTarget }),
+        redirect: 'follow',
+      });
+
+      if (response.redirected) {
+        window.location.href = response.url;
+        return;
+      }
+
+      const contentType = response.headers.get('content-type') || '';
+      if (contentType.includes('application/json')) {
+        const data = await response.json();
+        if (data?.url) {
+          window.location.href = data.url;
+          return;
+        }
+      }
+
+      window.location.reload();
+    } catch (err) {
+      console.error('Social signup failed', err);
+    }
+  }
+
+  googleButton?.addEventListener('click', () => startSocial('google'));
+</script>

package/dist/resources/templates/partials/brand-panel.ejs

@@ -0,0 +1,24 @@
+<!-- Left Brand Panel -->
+<div
+  class="flex flex-col items-center justify-center h-full rounded-l-lg relative overflow-hidden"
+  style="background: rgba(30, 136, 229, 0.1) url('data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMTc2IiBoZWlnaHQ9IjQwMCIgdmlld0JveD0iMCAwIDE3NiA0MDAiIGZpbGw9Im5vbmUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CjxnIGZpbHRlcj0idXJsKCNmaWx0ZXIwX2ZfMTgyMl8xNjUzMCkiPgo8cGF0aCBkPSJNMTU1LjI5MyAyNTUuNjEzSDE5NS43MDdMMTgzLjEwNCAxODIuMjc5QzE4OS42NTUgMTgwLjA3MiAxOTUuMDggMTc2LjI4IDE5OS4zOCAxNzAuOTAzQzIwMy42ODEgMTY1LjUyNyAyMDUuODMxIDE1OS4zNTUgMjA1LjgzMSAxNTIuMzg3QzIwNS44MzEgMTQzLjg3MSAyMDIuODkgMTM2LjY1MiAxOTcuMDEgMTMwLjczMUMxOTEuMTI4IDEyNC44MSAxODMuOTU4IDEyMS44NDkgMTc1LjUgMTIxLjg0OUMxNjcuMDQyIDEyMS44NDkgMTU5Ljg3MiAxMjQuODEgMTUzLjk5IDEzMC43MzFDMTQ4LjExIDEzNi42NTIgMTQ1LjE2OSAxNDMuODcxIDE0NS4xNjkgMTUyLjM4N0MxNDUuMTY5IDE1OS4zNTUgMTQ3LjMxOSAxNjUuNTI3IDE1MS42MiAxNzAuOTAzQzE1NS45MiAxNzYuMjggMTYxLjM0NSAxODAuMDcyIDE2Ny44OTYgMTgyLjI3OUwxNTUuMjkzIDI1NS42MTNaTTE3NS41IDQwMEMxMzAuNzg3IDM4Ni4zOCA5My42OTE2IDM1OC44MTcgNjQuMjE0OCAzMTcuMzEyQzM0LjczODIgMjc1LjgwNiAyMCAyMjkuMzA1IDIwIDE3Ny44MDZWNTguNDk0NEwxNzUuNSAwTDMzMSA1OC40OTQ0VjE3Ny44MDZDMzMxIDIyOS4zMDUgMzE2LjI2MiAyNzUuODA2IDI4Ni43ODUgMzE3LjMxMkMyNTcuMzA4IDM1OC44MTcgMjIwLjIxMyAzODYuMzggMTc1LjUgNDAwWk0xNzUuNSAzODEuNjc4QzIxNS43OTkgMzY4LjY2IDI0OC45NDIgMzQzLjEzMyAyNzQuOTMxIDMwNS4wOTdDMzAwLjkxOCAyNjcuMDYxIDMxMy45MTIgMjI0LjYzMSAzMTMuOTEyIDE3Ny44MDZWNzAuMzY1NUwxNzUuNSAxOC4xNTA4TDM3LjA4NzggNzAuMzY1NVYxNzcuODA2QzM3LjA4NzggMjI0LjYzMSA1MC4wODE3IDI2Ny4wNjEgNzYuMDY5NCAzMDUuMDk3QzEwMi4wNTggMzQzLjEzMyAxMzUuMjAxIDM2OC42NiAxNzUuNSAzODEuNjc4WiIgZmlsbD0iIzFFODhFNSIgZmlsbC1vcGFjaXR5PSIwLjEiLz4KPC9nPgo8ZGVmcz4KPGZpbHRlciBpZD0iZmlsdGVyMF9mXzE4MjJfMTY1MzAiIHg9IjAiIHk9Ii0yMCIgd2lkdGg9IjM1MSIgaGVpZ2h0PSI0NDAiIGZpbHRlclVuaXRzPSJ1c2VyU3BhY2VPblVzZSIgY29sb3ItaW50ZXJwb2xhdGlvbi1maWx0ZXJzPSJzUkdCIj4KPGZlRmxvb2QgZmxvb2Qtb3BhY2l0eT0iMCIgcmVzdWx0PSJCYWNrZ3JvdW5kSW1hZ2VGaXgiLz4KPGZlQmxlbmQgbW9kZT0ibm9ybWFsIiBpbj0iU291cmNlR3JhcGhpYyIgaW4yPSJCYWNrZ3JvdW5kSW1hZ2VGaXgiIHJlc3VsdD0ic2hhcGUiLz4KPGZlR2F1c3NpYW5CbHVyIHN0ZERldmlhdGlvbj0iMTAiIHJlc3VsdD0iZWZmZWN0MV9mb3JlZ3JvdW5kQmx1cl8xODIyXzE2NTMwIi8+CjwvZmlsdGVyPgo8L2RlZnM+Cjwvc3ZnPgo=') no-repeat right center; background-size: contain;"
+>
+  <!-- Content -->
+  <div class="relative z-10 text-center px-8">
+    <!-- Logo -->
+    <div class="mb-6 flex justify-center">
+      <img
+        src="data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iNDUiIGhlaWdodD0iMzYiIHZpZXdCb3g9IjAgMCA0NSAzNiIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPGcgY2xpcC1wYXRoPSJ1cmwoI2NsaXAwXzEwMjZfOSkiPgo8cGF0aCBkPSJNNDEuMDEyNCAyLjcwODA4QzQyLjU4NDEgNC4yODA4NiA0My4yMzA3IDYuOTMxMzQgNDMuMjMwNyA2LjkzMTM0QzQzLjIzMDcgNi45MzEzNCA0NC4xOTI0IDEyLjI2ODYgNDQuMTkyNCAxOS41MTUyQzQ0LjE5MjQgOS4yNTc3OCA0MC43MTI2IDcuNDk3MSAyOC42MTY5IDcuNDk3MUgxNy40NjIyQzExLjI3MDIgNy40OTcxIDExLjY4OSAxMy43MiAxMS4yNzAyIDE2LjY4MTVMMTAuNzYxNCAyMS4xNTZDMTAuNTE3MSAyNS44NjM1IDExLjMzNDUgMjguNzgwNSAxNi4xNjQ0IDI4Ljc4MDVDNi4wOTM3MiAyOC43ODA1IDAuNDk5OTg3IDMwLjQyOTQgMC41IDE2LjIzMjZDMC40OTk5OTQgOS44MDcwOCAxLjQ2ODkzIDYuOTMxMzQgMS40Njg5MyA2LjkzMTM0QzEuNDY4OTMgNi45MzEzNCAyLjExNTQ4IDQuMjgwODYgMy42OTA0OCAyLjcwODA4QzUuMjY1NDkgMS4xMzM0OSA3LjU5OTggMC45NzU0NTMgNy41OTk4IDAuOTc1NDUzQzcuNTk5OCAwLjk3NTQ1MyAxMi40MTk1IDAuMjUgMjEuOTQwMyAwLjI1QzMxLjQ2MTIgMC4yNSAzNi44NCAwLjk3NTQ1MyAzNi44NCAwLjk3NTQ1M0MzNi44NCAwLjk3NTQ1MyAzOS40MzU5IDEuMTMzNDkgNDEuMDEyNCAyLjcwODA4WiIgZmlsbD0idXJsKCNwYWludDBfbGluZWFyXzEwMjZfOSkiLz4KPHBhdGggZD0iTTQ0LjE5MDcgMTkuODQxMkM0NC4xOTEzIDE5Ljk2OTUgNDQuMTkxNiAyMC4wOTg5IDQ0LjE5MTYgMjAuMjI5NUM0NC4xOTE2IDI2LjM4MzcgNDMuMjc1NCAyOC43NzkgNDMuMjc1NCAyOC43NzlDNDMuMjc1NCAyOC43NzkgNDIuNTU4NCAzMS42ODA4IDQxLjMzNDMgMzIuOTM0M0MzOS4zOTE4IDM0LjkyMzMgMzcuMzE0NCAzNS4wMzQzIDM3LjMxNDQgMzUuMDM0M0MzNy4zMTQ0IDM1LjAzNDMgMzIuODQ1MyAzNS43NSAyMy4yMjkgMzUuNzVDMTQuMDAzMSAzNS43NSA3Ljg1OTIxIDM1LjAzODcgNy44NTkyMSAzNS4wMzg3QzcuODU5MjEgMzUuMDM4NyA1LjI2NTA0IDM0Ljg3OTUgMy42OTAwNCAzMy4zMDY0QzIuMTE1MDQgMzEuNzMwNyAxLjQ2ODQ5IDI4Ljc3OSAxLjQ2ODQ5IDI4Ljc3OUMxLjQ2ODQ5IDI4Ljc3OSAwLjUgMjIuNzE2MyAwLjUgMTYuMDc5NEMwLjQ5OTk4OCAyOC44NzUyIDUuMDQ0MiAyOC43OTg0IDEzLjMxNDkgMjguNjU4N0gxMy4zMTQ5QzE0LjIyMDQgMjguNjQzNCAxNS4xNzA2IDI4LjYyNzMgMTYuMTY0NCAyOC42MjczSDI3LjMxOEMzMi4yMDEzIDI4LjYyNzMgMzMuMzAzOSAyNS4wNzMxIDMzLjUxNjQgMjEuMDAyOEwzNC4wMjY3IDE0Ljc5MzRDMzQuMTYyNiAxMi4yNDA5IDMzLjgzMzcgMTAuNDI4NyAzMy4wMzM2IDkuMjYyNDFDMzIuMTYxMiA3Ljk5MDE2IDMwLjY3NDcgNy4zNDM5IDI4LjYxNjkgNy4zNDM5QzQxLjQyNTMgNy4zNDM5IDQ0LjEwMjIgOS4wNTk5OCA0NC4xOTA3IDE5Ljg0MTJaIiBmaWxsPSJ1cmwoI3BhaW50MV9saW5lYXJfMTAyNl85KSIvPgo8L2c+CjxkZWZzPgo8bGluZWFyR3JhZGllbnQgaWQ9InBhaW50MF9saW5lYXJfMTAyNl85IiB4MT0iMjIuMjg3OCIgeTE9IjAuMjUiIHgyPSIyMi40ODE4IiB5Mj0iMzAuNTc2OCIgZ3JhZGllbnRVbml0cz0idXNlclNwYWNlT25Vc2UiPgo8c3RvcCBzdG9wLWNvbG9yPSIjMDVEMkZGIi8+CjxzdG9wIG9mZnNldD0iMC4xNTYyMjciIHN0b3AtY29sb3I9IiMyMUExRjEiLz4KPHN0b3Agb2Zmc2V0PSIwLjQwNzExNCIgc3RvcC1jb2xvcj0iIzFFODhFNSIvPgo8c3RvcCBvZmZzZXQ9IjAuNzIyNDgiIHN0b3AtY29sb3I9IiMxRTZFRTUiLz4KPHN0b3Agb2Zmc2V0PSIxIiBzdG9wLWNvbG9yPSIjMTgyRkZGIi8+CjwvbGluZWFyR3JhZGllbnQ+CjxsaW5lYXJHcmFkaWVudCBpZD0icGFpbnQxX2xpbmVhcl8xMDI2XzkiIHgxPSIzLjE3NzgzIiB5MT0iMzUuNjkzNyIgeDI9IjM3LjkzODYiIHkyPSI1LjQxMDk1IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+CjxzdG9wIHN0b3AtY29sb3I9IiMyNEQ4RkYiLz4KPHN0b3Agb2Zmc2V0PSIwLjE1NjIyNyIgc3RvcC1jb2xvcj0iIzIxQTFGMSIvPgo8c3RvcCBvZmZzZXQ9IjAuNDA3MTE0IiBzdG9wLWNvbG9yPSIjMUU4OEU1Ii8+CjxzdG9wIG9mZnNldD0iMC43NDkxMDYiIHN0b3AtY29sb3I9IiMxRTdBRTUiLz4KPHN0b3Agb2Zmc2V0PSIxIiBzdG9wLWNvbG9yPSIjMDA0NkY5Ii8+CjwvbGluZWFyR3JhZGllbnQ+CjxjbGlwUGF0aCBpZD0iY2xpcDBfMTAyNl85Ij4KPHJlY3Qgd2lkdGg9IjQ1IiBoZWlnaHQ9IjM2IiBmaWxsPSJ3aGl0ZSIvPgo8L2NsaXBQYXRoPgo8L2RlZnM+Cjwvc3ZnPgo="
+        width="60"
+        height="48"
+        alt="OWOX"
+        class="w-15 h-12"
+      />
+    </div>
+    
+    <!-- Tagline -->
+    <p class="text-foreground text-base font-medium">
+      Where Data Makes Sense
+    </p>
+  </div>
+</div>

package/dist/resources/templates/partials/footer.ejs

@@ -0,0 +1,10 @@
+<!-- Footer -->
+<div class="mt-8 text-center">
+  <p class="text-xs text-muted-foreground">
+    By clicking the "Sign in with Google" button, I agree with the
+    <a href="https://www.owox.com/policies/terms/" target="_blank" class="text-primary hover:text-primary/80">Terms of Service</a>
+    and
+    <a href="https://www.owox.com/policies/privacy/" target="_blank" class="text-primary hover:text-primary/80">Privacy Policy</a>.
+  </p>
+</div>
+

package/dist/resources/templates/partials/head.ejs

@@ -0,0 +1,64 @@
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title><%= pageTitle %></title>
+  <script src="https://cdn.tailwindcss.com"></script>
+  <script>
+    tailwind.config = {
+      theme: {
+        extend: {
+          colors: {
+            // OWOX Design System Colors
+            background: "oklch(1 0 0)",
+            foreground: "oklch(0.3346 0.0123 279.25)",
+            card: "oklch(1 0 0)",
+            'card-foreground': "oklch(0.3346 0.0123 279.25)",
+            popover: "oklch(1 0 0)",
+            'popover-foreground': "oklch(0.3346 0.0123 279.25)",
+            primary: {
+              DEFAULT: "oklch(0.6179 0.2295 250.87)",
+              hover: "oklch(0.54 0.23 250.87)",
+              foreground: "oklch(0.985 0 0)",
+            },
+            secondary: {
+              DEFAULT: "oklch(0.97 0 0)",
+              foreground: "oklch(0.205 0 0)",
+            },
+            muted: {
+              DEFAULT: "oklch(0.97 0 0)",
+              foreground: "oklch(0.5148 0.0128 274.72)",
+            },
+            accent: {
+              DEFAULT: "oklch(0.97 0 0)",
+              foreground: "oklch(0.205 0 0)",
+            },
+            destructive: {
+              DEFAULT: "oklch(0.577 0.245 27.325)",
+              foreground: "oklch(0.985 0 0)",
+            },
+            border: "oklch(0.922 0 0)",
+            input: "oklch(0.922 0 0)",
+            ring: "oklch(0.708 0 0)",
+            success: {
+              DEFAULT: "oklch(0.647 0.165 142.495)",
+              foreground: "oklch(0.985 0 0)",
+            },
+            // Brand blue colors
+            'brand-blue': {
+              50: "oklch(0.985 0.03 250.87)",
+              100: "oklch(0.955 0.05 250.87)",
+              200: "oklch(0.9 0.08 250.87)",
+              300: "oklch(0.8 0.14 250.87)",
+              400: "oklch(0.7 0.19 250.87)",
+              500: "oklch(0.6179 0.2295 250.87)",
+              600: "oklch(0.54 0.23 250.87)",
+              700: "oklch(0.44 0.2 250.87)",
+              800: "oklch(0.36 0.17 250.87)",
+              900: "oklch(0.28 0.14 250.87)",
+            },
+          },
+        },
+      },
+    }
+  </script>
+</head>

package/dist/resources/templates/partials/header.ejs

@@ -0,0 +1,7 @@
+<!-- Header -->
+<div class="text-center mb-6">
+  <h1 class="text-2xl font-medium text-foreground">
+    <%= heading %>
+  </h1>
+</div>
+

package/dist/services/auth/better-auth-session-service.d.ts

@@ -0,0 +1,28 @@
+import { type Request } from 'express';
+import { createBetterAuthConfig } from '../../config/idp-better-auth-config.js';
+import type { DatabaseStore } from '../../store/database-store.js';
+import { AuthSession } from '../../types/auth-session.js';
+import { PlatformAuthFlowClient, type UserInfoPayload } from './platform-auth-flow-client.js';
+/**
+ * Better Auth integration for social login and user/account lookup.
+ * Manages Better Auth sessions and user data.
+ * Core IdP tokens are handled in OwoxTokenFacade/PkceFlowOrchestrator.
+ */
+export declare class BetterAuthSessionService {
+    private readonly auth;
+    private readonly store;
+    private readonly platformAuthFlowClient;
+    constructor(auth: Awaited<ReturnType<typeof createBetterAuthConfig>>, store: DatabaseStore, platformAuthFlowClient: PlatformAuthFlowClient);
+    buildUserInfoPayload(req: Request): Promise<UserInfoPayload>;
+    completeAuthFlow(req: Request): Promise<{
+        code: string;
+        payload: UserInfoPayload;
+    }>;
+    completeAuthFlowWithSessionToken(sessionToken: string, state: string): Promise<{
+        code: string;
+        payload: UserInfoPayload;
+    }>;
+    getSession(req: Request): Promise<AuthSession | null>;
+    private buildHeadersFromExpress;
+}
+//# sourceMappingURL=better-auth-session-service.d.ts.map

package/dist/services/auth/better-auth-session-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"better-auth-session-service.d.ts","sourceRoot":"","sources":["../../../src/services/auth/better-auth-session-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,OAAO,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,sBAAsB,EAAE,MAAM,wCAAwC,CAAC;AAIhF,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,EAAE,WAAW,EAAE,MAAM,6BAA6B,CAAC;AAE1D,OAAO,EAAE,sBAAsB,EAAE,KAAK,eAAe,EAAE,MAAM,gCAAgC,CAAC;AAE9F;;;;GAIG;AACH,qBAAa,wBAAwB;IAEjC,OAAO,CAAC,QAAQ,CAAC,IAAI;IACrB,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,sBAAsB;gBAFtB,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,OAAO,sBAAsB,CAAC,CAAC,EACxD,KAAK,EAAE,aAAa,EACpB,sBAAsB,EAAE,sBAAsB;IAG3D,oBAAoB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,eAAe,CAAC;IA0B5D,gBAAgB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,eAAe,CAAA;KAAE,CAAC;IAYnF,gCAAgC,CACpC,YAAY,EAAE,MAAM,EACpB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,eAAe,CAAA;KAAE,CAAC;IAkChD,UAAU,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IA6B3D,OAAO,CAAC,uBAAuB;CAYhC"}

package/dist/services/auth/better-auth-session-service.js

@@ -0,0 +1,121 @@
+import { BETTER_AUTH_SESSION_COOKIE } from '../../core/constants.js';
+import { logger } from '../../core/logger.js';
+import { buildUserInfoPayload } from '../../mappers/user-info-payload-builder.js';
+import { getStateManager } from '../../utils/request-utils.js';
+/**
+ * Better Auth integration for social login and user/account lookup.
+ * Manages Better Auth sessions and user data.
+ * Core IdP tokens are handled in OwoxTokenFacade/PkceFlowOrchestrator.
+ */
+export class BetterAuthSessionService {
+    auth;
+    store;
+    platformAuthFlowClient;
+    constructor(auth, store, platformAuthFlowClient) {
+        this.auth = auth;
+        this.store = store;
+        this.platformAuthFlowClient = platformAuthFlowClient;
+    }
+    async buildUserInfoPayload(req) {
+        const stateManager = getStateManager(req);
+        const session = await this.getSession(req);
+        if (session?.user) {
+            const [dbUser, account] = await Promise.all([
+                this.store.getUserById(session.user.id),
+                this.store.getAccountByUserId(session.user.id),
+            ]);
+            if (!account) {
+                throw new Error(`No account found for user ${session.user.id}`);
+            }
+            if (!dbUser) {
+                throw new Error(`User not found in DB for session ${session.user.id}`);
+            }
+            return buildUserInfoPayload({
+                state: stateManager.extract(),
+                user: dbUser,
+                account,
+            });
+        }
+        throw new Error('No session found for user info');
+    }
+    async completeAuthFlow(req) {
+        const payload = await this.buildUserInfoPayload(req);
+        logger.info('Sending auth flow payload', {
+            hasState: Boolean(payload.state),
+            signinProvider: payload.userInfo.signinProvider,
+            userId: payload.userInfo.uid,
+        });
+        const result = await this.platformAuthFlowClient.completeAuthFlow(payload);
+        logger.info('Integrated backend responded', { hasCode: Boolean(result.code) });
+        return { code: result.code, payload };
+    }
+    async completeAuthFlowWithSessionToken(sessionToken, state) {
+        const headers = new Headers();
+        headers.set('cookie', `${BETTER_AUTH_SESSION_COOKIE}=${encodeURIComponent(sessionToken)}`);
+        const session = await this.auth.api.getSession({ headers });
+        if (!session || !session.user || !session.session) {
+            throw new Error('Failed to resolve session from Better Auth token');
+        }
+        const dbUser = await this.store.getUserById(session.user.id);
+        const account = await this.store.getAccountByUserId(session.user.id);
+        if (!account) {
+            throw new Error(`No account found for user ${session.user.id}`);
+        }
+        if (!dbUser) {
+            throw new Error(`User not found in DB for session ${session.user.id}`);
+        }
+        const payload = buildUserInfoPayload({
+            state,
+            user: dbUser,
+            account,
+        });
+        logger.info('Sending auth flow payload (callback)', {
+            state: payload.state,
+            userInfo: payload.userInfo,
+        });
+        const result = await this.platformAuthFlowClient.completeAuthFlow(payload);
+        logger.info('Integrated backend responded (callback)', { hasCode: Boolean(result.code) });
+        return { code: result.code, payload };
+    }
+    async getSession(req) {
+        try {
+            const session = await this.auth.api.getSession({
+                headers: this.buildHeadersFromExpress(req),
+            });
+            if (!session || !session.user || !session.session) {
+                return null;
+            }
+            return {
+                user: {
+                    id: session.user.id,
+                    email: session.user.email,
+                    name: session.user.name,
+                },
+                session: {
+                    id: session.session.id,
+                    userId: session.session.userId,
+                    token: session.session.token,
+                    expiresAt: session.session.expiresAt,
+                },
+            };
+        }
+        catch (error) {
+            logger.error('Failed to get session', {}, error);
+            throw new Error('Failed to get session');
+        }
+    }
+    buildHeadersFromExpress(req) {
+        const headers = new Headers();
+        for (const [key, value] of Object.entries(req.headers)) {
+            if (!value)
+                continue;
+            if (Array.isArray(value)) {
+                headers.set(key, value.join(', '));
+            }
+            else {
+                headers.set(key, String(value));
+            }
+        }
+        return headers;
+    }
+}

package/dist/services/auth/pkce-flow-orchestrator.d.ts

@@ -0,0 +1,33 @@
+import { Logger } from '@owox/internal-helpers';
+import type { Request, Response } from 'express';
+import type { IdpOwoxConfig } from '../../config/idp-owox-config.js';
+import type { OwoxTokenFacade } from '../../facades/owox-token-facade.js';
+import { type PlatformParams } from '../../utils/request-utils.js';
+import type { BetterAuthSessionService } from '../auth/better-auth-session-service.js';
+import type { UserContextService } from '../core/user-context-service.js';
+import { PlatformAuthFlowClient } from './platform-auth-flow-client.js';
+/**
+ * Orchestrates PKCE completion for Platform using core tokens or social login.
+ */
+export declare class PkceFlowOrchestrator {
+    private readonly idpOwoxConfig;
+    private readonly tokenFacade;
+    private readonly userContextService;
+    private readonly platformAuthFlowClient;
+    private readonly betterAuthSessionService;
+    private readonly logger;
+    constructor(idpOwoxConfig: IdpOwoxConfig, tokenFacade: OwoxTokenFacade, userContextService: UserContextService, platformAuthFlowClient: PlatformAuthFlowClient, betterAuthSessionService: BetterAuthSessionService, logger: Logger);
+    /**
+     * Revokes refresh token and clears auth cookies before redirecting to sign-in.
+     */
+    private revokeRefreshTokenAndClearCookies;
+    /**
+     * Completes auth flow using Identity refresh token (platform fast-path).
+     */
+    completeWithIdentityRefreshToken(refreshToken: string, params: PlatformParams, req: Request, res: Response): Promise<URL | null>;
+    /**
+     * Completes auth flow using Better Auth session token received from handler response.
+     */
+    completeWithSocialSessionToken(sessionToken: string, params: PlatformParams, req: Request, res: Response): Promise<URL | null>;
+}
+//# sourceMappingURL=pkce-flow-orchestrator.d.ts.map

package/dist/services/auth/pkce-flow-orchestrator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce-flow-orchestrator.d.ts","sourceRoot":"","sources":["../../../src/services/auth/pkce-flow-orchestrator.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACjD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iCAAiC,CAAC;AAGrE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;AAG1E,OAAO,EAKL,KAAK,cAAc,EACpB,MAAM,8BAA8B,CAAC;AAItC,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,wCAAwC,CAAC;AACvF,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AAC1E,OAAO,EAAE,sBAAsB,EAAwB,MAAM,gCAAgC,CAAC;AAE9F;;GAEG;AACH,qBAAa,oBAAoB;IAE7B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,WAAW;IAC5B,OAAO,CAAC,QAAQ,CAAC,kBAAkB;IACnC,OAAO,CAAC,QAAQ,CAAC,sBAAsB;IACvC,OAAO,CAAC,QAAQ,CAAC,wBAAwB;IACzC,OAAO,CAAC,QAAQ,CAAC,MAAM;gBALN,aAAa,EAAE,aAAa,EAC5B,WAAW,EAAE,eAAe,EAC5B,kBAAkB,EAAE,kBAAkB,EACtC,sBAAsB,EAAE,sBAAsB,EAC9C,wBAAwB,EAAE,wBAAwB,EAClD,MAAM,EAAE,MAAM;IAGjC;;OAEG;YACW,iCAAiC;IAkB/C;;OAEG;IACG,gCAAgC,CACpC,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,cAAc,EACtB,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,GACZ,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC;IAmDtB;;OAEG;IACG,8BAA8B,CAClC,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,cAAc,EACtB,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,GACZ,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC;CAkCvB"}

package/dist/services/auth/pkce-flow-orchestrator.js

@@ -0,0 +1,134 @@
+import { ProtocolRoute } from '@owox/idp-protocol';
+import { SOURCE } from '../../core/constants.js';
+import { AuthenticationException, isStateExpiredError } from '../../core/exceptions.js';
+import { buildUserInfoPayload } from '../../mappers/user-info-payload-builder.js';
+import { buildPlatformRedirectUrl } from '../../utils/platform-redirect-builder.js';
+import { clearAllAuthCookies, clearBetterAuthCookies, extractState, extractStateFromCookie, } from '../../utils/request-utils.js';
+import { clearCookie } from '../../utils/cookie-policy.js';
+import { CORE_REFRESH_TOKEN_COOKIE } from '../../core/constants.js';
+import { formatError } from '../../utils/string-utils.js';
+/**
+ * Orchestrates PKCE completion for Platform using core tokens or social login.
+ */
+export class PkceFlowOrchestrator {
+    idpOwoxConfig;
+    tokenFacade;
+    userContextService;
+    platformAuthFlowClient;
+    betterAuthSessionService;
+    logger;
+    constructor(idpOwoxConfig, tokenFacade, userContextService, platformAuthFlowClient, betterAuthSessionService, logger) {
+        this.idpOwoxConfig = idpOwoxConfig;
+        this.tokenFacade = tokenFacade;
+        this.userContextService = userContextService;
+        this.platformAuthFlowClient = platformAuthFlowClient;
+        this.betterAuthSessionService = betterAuthSessionService;
+        this.logger = logger;
+    }
+    /**
+     * Revokes refresh token and clears auth cookies before redirecting to sign-in.
+     */
+    async revokeRefreshTokenAndClearCookies(refreshToken, req, res) {
+        try {
+            if (refreshToken) {
+                await this.tokenFacade.revokeToken(refreshToken);
+            }
+        }
+        catch (revokeError) {
+            this.logger.warn('Failed to revoke refresh token during user-context recovery', {
+                error: formatError(revokeError),
+            });
+        }
+        clearCookie(res, CORE_REFRESH_TOKEN_COOKIE, req);
+        clearBetterAuthCookies(res, req);
+    }
+    /**
+     * Completes auth flow using Identity refresh token (platform fast-path).
+     */
+    async completeWithIdentityRefreshToken(refreshToken, params, req, res) {
+        const state = extractState(req);
+        if (!state) {
+            this.logger.warn('Missing or mismatched state for identity refresh flow');
+            return null;
+        }
+        try {
+            const auth = await this.tokenFacade.refreshToken(refreshToken);
+            if (auth.refreshToken && auth.refreshTokenExpiresIn !== undefined) {
+                this.tokenFacade.setTokenToCookie(res, req, auth.refreshToken, auth.refreshTokenExpiresIn);
+            }
+            const { user, account } = await this.userContextService.resolveFromToken(auth.accessToken);
+            const payload = buildUserInfoPayload({
+                state,
+                user,
+                account,
+            });
+            const result = await this.platformAuthFlowClient.completeAuthFlow(payload);
+            const redirectUrl = buildPlatformRedirectUrl({
+                baseUrl: this.idpOwoxConfig.idpConfig.platformSignInUrl,
+                code: result.code,
+                state,
+                params,
+                defaultSource: SOURCE.APP,
+                allowedRedirectOrigins: this.idpOwoxConfig.idpConfig.allowedRedirectOrigins,
+            });
+            if (!redirectUrl) {
+                this.logger.warn('Failed to build redirect URL after identity refresh');
+            }
+            return redirectUrl;
+        }
+        catch (error) {
+            if (isStateExpiredError(error)) {
+                clearAllAuthCookies(res, req);
+                return new URL(`/auth${ProtocolRoute.SIGN_IN}`, this.idpOwoxConfig.baseUrl);
+            }
+            if (error instanceof AuthenticationException) {
+                this.logger.warn('Failed to resolve user from access token, redirecting to sign-in', {
+                    error: formatError(error),
+                });
+                await this.revokeRefreshTokenAndClearCookies(refreshToken, req, res);
+                return new URL(`/auth${ProtocolRoute.SIGN_IN}`, this.idpOwoxConfig.baseUrl);
+            }
+            this.logger.warn('Platform fast-path failed, will fallback to UI', {
+                error: formatError(error),
+            });
+            return null;
+        }
+    }
+    /**
+     * Completes auth flow using Better Auth session token received from handler response.
+     */
+    async completeWithSocialSessionToken(sessionToken, params, req, res) {
+        const state = extractStateFromCookie(req);
+        if (!state) {
+            this.logger.warn('Missing or mismatched state for social login flow');
+            clearAllAuthCookies(res, req);
+            return new URL(`/auth${ProtocolRoute.SIGN_IN}`, this.idpOwoxConfig.baseUrl);
+        }
+        try {
+            const { code, payload } = await this.betterAuthSessionService.completeAuthFlowWithSessionToken(sessionToken, state);
+            const finalState = payload.state || state;
+            const redirectUrl = buildPlatformRedirectUrl({
+                baseUrl: this.idpOwoxConfig.idpConfig.platformSignInUrl,
+                code,
+                state: finalState || '',
+                params,
+                defaultSource: SOURCE.APP,
+                allowedRedirectOrigins: this.idpOwoxConfig.idpConfig.allowedRedirectOrigins,
+            });
+            if (redirectUrl) {
+                clearAllAuthCookies(res, req);
+                return redirectUrl;
+            }
+        }
+        catch (error) {
+            if (isStateExpiredError(error)) {
+                clearAllAuthCookies(res, req);
+                return new URL(`/auth${ProtocolRoute.SIGN_IN}`, this.idpOwoxConfig.baseUrl);
+            }
+            this.logger.warn('Auto-complete auth flow on callback failed', { error: formatError(error) });
+            clearAllAuthCookies(res, req);
+            return null;
+        }
+        return null;
+    }
+}

package/dist/services/auth/platform-auth-flow-client.d.ts

@@ -0,0 +1,16 @@
+import type { IdentityOwoxClient } from '../../client/IdentityOwoxClient.js';
+import type { AuthFlowRequest } from '../../client/dto/authFlowDto.js';
+export type UserInfoPayload = AuthFlowRequest;
+/**
+ * Client wrapper for Platform auth flow completion with logging.
+ * Delegates HTTP communication to IdentityOwoxClient.
+ */
+export declare class PlatformAuthFlowClient {
+    private readonly identityClient;
+    constructor(identityClient: IdentityOwoxClient);
+    /** Exchanges user info for a one-time authorization code. */
+    completeAuthFlow(payload: UserInfoPayload): Promise<{
+        code: string;
+    }>;
+}
+//# sourceMappingURL=platform-auth-flow-client.d.ts.map

package/dist/services/auth/platform-auth-flow-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"platform-auth-flow-client.d.ts","sourceRoot":"","sources":["../../../src/services/auth/platform-auth-flow-client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oCAAoC,CAAC;AAC7E,OAAO,KAAK,EAAE,eAAe,EAAoB,MAAM,iCAAiC,CAAC;AAGzF,MAAM,MAAM,eAAe,GAAG,eAAe,CAAC;AAE9C;;;GAGG;AACH,qBAAa,sBAAsB;IACrB,OAAO,CAAC,QAAQ,CAAC,cAAc;gBAAd,cAAc,EAAE,kBAAkB;IAE/D,6DAA6D;IACvD,gBAAgB,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;CAsB5E"}

package/dist/services/auth/platform-auth-flow-client.js

@@ -0,0 +1,32 @@
+import { logger } from '../../core/logger.js';
+/**
+ * Client wrapper for Platform auth flow completion with logging.
+ * Delegates HTTP communication to IdentityOwoxClient.
+ */
+export class PlatformAuthFlowClient {
+    identityClient;
+    constructor(identityClient) {
+        this.identityClient = identityClient;
+    }
+    /** Exchanges user info for a one-time authorization code. */
+    async completeAuthFlow(payload) {
+        logger.info('Completing auth flow', {
+            hasState: Boolean(payload.state),
+            signinProvider: payload.userInfo.signinProvider,
+            userId: payload.userInfo.uid,
+        });
+        try {
+            // Delegate HTTP communication to the client layer
+            const response = await this.identityClient.completeAuthFlow(payload);
+            logger.info('Auth flow completed successfully', {
+                hasCode: Boolean(response.code),
+            });
+            return { code: response.code };
+        }
+        catch (error) {
+            // Log error with context for troubleshooting
+            logger.error('Failed to complete auth flow', {}, error);
+            throw error;
+        }
+    }
+}

package/dist/services/core/token-service.d.ts

@@ -0,0 +1,25 @@
+import { Payload } from '@owox/idp-protocol';
+import ms from 'ms';
+import { IdentityOwoxClient } from '../../client/index.js';
+export interface TokenServiceConfig {
+    algorithm: string;
+    clockTolerance: ms.StringValue | number;
+    issuer: string;
+    jwtKeyCacheTtl: ms.StringValue;
+}
+/**
+ * Validates and parses JWT access tokens using JWKS cache.
+ */
+export declare class TokenService {
+    private readonly client;
+    private readonly config;
+    private readonly jwksCache;
+    constructor(client: IdentityOwoxClient, config: TokenServiceConfig);
+    normalizeToken(authorization: string): string;
+    parse(token: string): Promise<Payload | null>;
+    verify(token: string): Promise<Payload | null>;
+    formatError(error: unknown): string;
+    private fetchJwks;
+    private verifyJwt;
+}
+//# sourceMappingURL=token-service.d.ts.map

package/dist/services/core/token-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-service.d.ts","sourceRoot":"","sources":["../../../src/services/core/token-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAE7C,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAM3D,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,EAAE,CAAC,WAAW,GAAG,MAAM,CAAC;IACxC,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,EAAE,CAAC,WAAW,CAAC;CAChC;AAED;;GAEG;AACH,qBAAa,YAAY;IAIrB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM;IAJzB,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAGR,MAAM,EAAE,kBAAkB,EAC1B,MAAM,EAAE,kBAAkB;IAK7C,cAAc,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM;IAIvC,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAU7C,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAIpD,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM;YAIrB,SAAS;YAKT,SAAS;CAsBxB"}

package/dist/services/core/token-service.js

@@ -0,0 +1,56 @@
+import { decodeProtectedHeader } from 'jose';
+import ms from 'ms';
+import { makeJwksCache } from '../../jwt/jwksCache.js';
+import { verify } from '../../jwt/verifyJwt.js';
+import { toPayload } from '../../mappers/client-payload-mapper.js';
+import { formatError } from '../../utils/string-utils.js';
+/**
+ * Validates and parses JWT access tokens using JWKS cache.
+ */
+export class TokenService {
+    client;
+    config;
+    jwksCache;
+    constructor(client, config) {
+        this.client = client;
+        this.config = config;
+        this.jwksCache = makeJwksCache(this.fetchJwks.bind(this), 'OWOX_JWKS');
+    }
+    normalizeToken(authorization) {
+        return authorization.replace(/^Bearer\s+/i, '').trim();
+    }
+    async parse(token) {
+        try {
+            const normalized = this.normalizeToken(token);
+            const { payload } = await this.verifyJwt(normalized);
+            return toPayload(payload);
+        }
+        catch {
+            return null;
+        }
+    }
+    async verify(token) {
+        return this.parse(token);
+    }
+    formatError(error) {
+        return formatError(error);
+    }
+    async fetchJwks() {
+        const resp = await this.client.getJwks();
+        return { keys: resp.keys };
+    }
+    async verifyJwt(token) {
+        const { alg } = decodeProtectedHeader(token);
+        if (alg && alg !== this.config.algorithm) {
+            throw new Error(`Unsupported JWT alg: ${alg}`);
+        }
+        const clockToleranceSeconds = typeof this.config.clockTolerance === 'string'
+            ? ms(this.config.clockTolerance) / 1000
+            : this.config.clockTolerance;
+        return verify(token, async () => (await this.jwksCache.get(ms(this.config.jwtKeyCacheTtl))).keyResolver, async () => (await this.jwksCache.refresh(ms(this.config.jwtKeyCacheTtl))).keyResolver, {
+            algorithm: this.config.algorithm,
+            clockTolerance: clockToleranceSeconds,
+            issuer: this.config.issuer,
+        });
+    }
+}