@pelican-identity/auth-core 1.2.9 → 1.2.11

package/dist/index.js

@@ -1,8 +1,614 @@
-export * from "./types/types";
-export { PelicanAuthentication } from "./engine/engine";
-export { CryptoService } from "./utilities/crypto";
-export { StateMachine } from "./utilities/stateMachine";
-export { Transport } from "./utilities/transport";
-export * from "./utilities/storage";
-export { BASEURL } from "./constants";
+'use strict';
+
+var nacl = require('tweetnacl');
+var tweetnaclUtil = require('tweetnacl-util');
+var QRCode = require('qrcode');
+
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+
+var nacl__default = /*#__PURE__*/_interopDefault(nacl);
+var QRCode__default = /*#__PURE__*/_interopDefault(QRCode);
+
+// src/utilities/crypto.ts
+var CryptoService = class {
+  generateSymmetricKey() {
+    const key = nacl__default.default.randomBytes(32);
+    return tweetnaclUtil.encodeBase64(key);
+  }
+  /**
+   * Encrypt with symmetric key (secret-key encryption)
+   * Use this when both parties share the same secret key
+   * @param plaintext - Message to encrypt
+   * @param keyString - Symmetric key (base64)
+   * @returns Encrypted message with nonce
+   */
+  encryptSymmetric({
+    plaintext,
+    keyString
+  }) {
+    const key = tweetnaclUtil.decodeBase64(keyString);
+    const nonce = nacl__default.default.randomBytes(24);
+    const messageBytes = new TextEncoder().encode(plaintext);
+    const ciphertext = nacl__default.default.secretbox(messageBytes, nonce, key);
+    return {
+      cipher: tweetnaclUtil.encodeBase64(ciphertext),
+      nonce: tweetnaclUtil.encodeBase64(nonce)
+    };
+  }
+  /**
+   * Decrypt with symmetric key
+   * @param encrypted - Encrypted message with nonce
+   * @param keyString - Symmetric key (base64)
+   * @returns Decrypted plaintext
+   */
+  decryptSymmetric({
+    encrypted,
+    keyString
+  }) {
+    try {
+      const key = tweetnaclUtil.decodeBase64(keyString);
+      const ciphertextBytes = tweetnaclUtil.decodeBase64(encrypted.cipher);
+      const nonceBytes = tweetnaclUtil.decodeBase64(encrypted.nonce);
+      const decrypted = nacl__default.default.secretbox.open(ciphertextBytes, nonceBytes, key);
+      if (!decrypted) {
+        throw new Error("Decryption failed - invalid key or corrupted data");
+      }
+      const decoded = new TextDecoder().decode(decrypted);
+      return decoded;
+    } catch (error) {
+      console.error("Decryption failed", error);
+      return null;
+    }
+  }
+};
+var crypto_default = CryptoService;
+
+// src/utilities/storage.ts
+var AuthStorage = class {
+  constructor() {
+    this.prefix = "pelican_auth_";
+    this.defaultTTL = 5 * 60 * 1e3;
+    // 5 minutes
+    this.memoryCache = /* @__PURE__ */ new Map();
+  }
+  /**
+   * Store auth session with automatic cleanup
+   */
+  set(key, value, options = {}) {
+    const { ttlMs = this.defaultTTL, useSessionStorage = true } = options;
+    const expiresAt = Date.now() + ttlMs;
+    const data = { value, expiresAt };
+    if (useSessionStorage) {
+      try {
+        sessionStorage.setItem(`${this.prefix}${key}`, JSON.stringify(data));
+      } catch (error) {
+        console.warn("SessionStorage unavailable, using memory:", error);
+        this.setMemory(key, data);
+      }
+    } else {
+      this.setMemory(key, data);
+    }
+  }
+  /**
+   * Get stored value if not expired
+   */
+  get(key) {
+    try {
+      const stored = sessionStorage.getItem(`${this.prefix}${key}`);
+      if (stored) {
+        const data = JSON.parse(stored);
+        if (Date.now() > data.expiresAt) {
+          this.remove(key);
+          return null;
+        }
+        return data.value;
+      }
+    } catch (error) {
+    }
+    return this.getMemory(key);
+  }
+  /**
+   * Remove specific key
+   */
+  remove(key) {
+    try {
+      sessionStorage.removeItem(`${this.prefix}${key}`);
+    } catch (error) {
+    }
+    this.memoryCache.delete(key);
+  }
+  /**
+   * Clear all auth data
+   */
+  clear() {
+    try {
+      Object.keys(sessionStorage).forEach((key) => {
+        if (key.startsWith(this.prefix)) {
+          sessionStorage.removeItem(key);
+        }
+      });
+    } catch (error) {
+    }
+    this.memoryCache.clear();
+  }
+  // ========================================
+  // Memory cache helpers
+  // ========================================
+  setMemory(key, data) {
+    this.memoryCache.set(key, data);
+    const ttl = data.expiresAt - Date.now();
+    setTimeout(() => {
+      this.memoryCache.delete(key);
+    }, ttl);
+  }
+  getMemory(key) {
+    const data = this.memoryCache.get(key);
+    if (!data) return null;
+    if (Date.now() > data.expiresAt) {
+      this.memoryCache.delete(key);
+      return null;
+    }
+    return data.value;
+  }
+};
+var storage = new AuthStorage();
+var storeAuthSession = (sessionId, sessionKey, ttlMs) => {
+  storage.set("session", { sessionId, sessionKey }, { ttlMs });
+};
+var getAuthSession = () => {
+  return storage.get("session");
+};
+var clearAuthSession = () => {
+  storage.remove("session");
+};
+var clearAllAuthData = () => {
+  storage.clear();
+};
+
+// src/utilities/stateMachine.ts
+var StateMachine = class {
+  constructor() {
+    this.state = "idle";
+    this.listeners = /* @__PURE__ */ new Set();
+  }
+  get current() {
+    return this.state;
+  }
+  transition(next) {
+    this.state = next;
+    this.listeners.forEach((l) => l(next));
+  }
+  subscribe(fn) {
+    this.listeners.add(fn);
+    return () => this.listeners.delete(fn);
+  }
+};
+
+// src/utilities/transport.ts
+var Transport = class {
+  constructor(handlers) {
+    this.reconnectAttempts = 0;
+    this.maxReconnectAttempts = 3;
+    // Reduced from 5 for mobile
+    this.isExplicitlyClosed = false;
+    this.isReconnecting = false;
+    this.handlers = handlers;
+  }
+  /**
+   * Establish WebSocket connection
+   * @param url - WebSocket URL
+   */
+  connect(url) {
+    this.url = url;
+    this.isExplicitlyClosed = false;
+    if (this.socket) {
+      this.socket.onclose = null;
+      this.socket.onerror = null;
+      this.socket.onmessage = null;
+      this.socket.onopen = null;
+      if (this.socket.readyState === WebSocket.OPEN || this.socket.readyState === WebSocket.CONNECTING) {
+        this.socket.close();
+      }
+    }
+    this.socket = new WebSocket(url);
+    this.socket.onopen = () => {
+      this.reconnectAttempts = 0;
+      this.isReconnecting = false;
+      this.handlers.onOpen?.();
+    };
+    this.socket.onmessage = (e) => {
+      try {
+        const data = JSON.parse(e.data);
+        this.handlers.onMessage?.(data);
+      } catch (err) {
+        console.error("Failed to parse WebSocket message", err);
+      }
+    };
+    this.socket.onerror = (e) => {
+      if (!this.isReconnecting && !this.isExplicitlyClosed) {
+        this.handlers.onError?.(e);
+      }
+    };
+    this.socket.onclose = (e) => {
+      if (this.reconnectTimeout) {
+        clearTimeout(this.reconnectTimeout);
+        this.reconnectTimeout = void 0;
+      }
+      if (!this.isReconnecting) {
+        this.handlers.onClose?.(e);
+      }
+      if (!this.isExplicitlyClosed && !this.isReconnecting && this.reconnectAttempts < this.maxReconnectAttempts) {
+        this.attemptReconnect();
+      }
+    };
+  }
+  /**
+   * Attempt to reconnect with exponential backoff
+   */
+  attemptReconnect() {
+    if (this.reconnectAttempts >= this.maxReconnectAttempts) {
+      console.warn("Max WebSocket reconnect attempts reached");
+      return;
+    }
+    this.isReconnecting = true;
+    this.reconnectAttempts++;
+    const delay = Math.min(Math.pow(2, this.reconnectAttempts - 1) * 500, 2e3);
+    console.log(
+      `Reconnecting WebSocket (attempt ${this.reconnectAttempts}/${this.maxReconnectAttempts}) in ${delay}ms...`
+    );
+    this.reconnectTimeout = window.setTimeout(() => {
+      if (this.url && !this.isExplicitlyClosed) {
+        this.connect(this.url);
+      }
+    }, delay);
+  }
+  /**
+   * Send a message through the WebSocket
+   * Queues message if connection is not open
+   */
+  send(payload) {
+    if (this.socket?.readyState === WebSocket.OPEN) {
+      try {
+        this.socket.send(JSON.stringify(payload));
+      } catch (err) {
+        console.error("Failed to send WebSocket message:", err);
+      }
+    } else {
+      console.warn(
+        "WebSocket not open, message not sent:",
+        this.socket?.readyState
+      );
+    }
+  }
+  /**
+   * Close the WebSocket connection
+   * Prevents automatic reconnection
+   */
+  close() {
+    this.isExplicitlyClosed = true;
+    this.isReconnecting = false;
+    if (this.reconnectTimeout) {
+      clearTimeout(this.reconnectTimeout);
+      this.reconnectTimeout = void 0;
+    }
+    if (this.socket) {
+      this.socket.onclose = null;
+      this.socket.onerror = null;
+      this.socket.onmessage = null;
+      this.socket.onopen = null;
+      if (this.socket.readyState === WebSocket.OPEN || this.socket.readyState === WebSocket.CONNECTING) {
+        this.socket.close();
+      }
+      this.socket = void 0;
+    }
+  }
+  /**
+   * Get current connection state
+   */
+  get readyState() {
+    return this.socket?.readyState;
+  }
+  /**
+   * Check if connection is open
+   */
+  get isOpen() {
+    return this.socket?.readyState === WebSocket.OPEN;
+  }
+};
+
+// src/constants.ts
+var BASEURL = "http://192.168.1.9:8080";
+
+// src/engine/engine.ts
+var PelicanAuthentication = class {
+  constructor(config) {
+    this.crypto = new crypto_default();
+    this.stateMachine = new StateMachine();
+    this.sessionId = "";
+    this.sessionKey = null;
+    this.useWebSocket = true;
+    this.listeners = {};
+    if (!config.publicKey) throw new Error("Missing publicKey");
+    if (!config.projectId) throw new Error("Missing projectId");
+    if (!config.authType) throw new Error("Missing authType");
+    this.config = {
+      continuousMode: false,
+      forceQRCode: false,
+      ...config
+    };
+    this.stateMachine.subscribe((s) => this.emit("state", s));
+    this.attachVisibilityRecovery();
+  }
+  /* -------------------- Public API -------------------- */
+  on(event, cb) {
+    var _a;
+    (_a = this.listeners)[event] ?? (_a[event] = /* @__PURE__ */ new Set());
+    this.listeners[event].add(cb);
+    return () => this.listeners[event].delete(cb);
+  }
+  async start() {
+    if (this.stateMachine.current !== "idle") return;
+    this.resetSession();
+    clearAuthSession();
+    this.stateMachine.transition("initializing");
+    try {
+      this.sessionKey = this.crypto.generateSymmetricKey();
+      this.sessionId = crypto.randomUUID() + crypto.randomUUID();
+      this.useWebSocket = this.shouldUseWebSocket();
+      if (this.useWebSocket) {
+        await this.startWebSocketFlow();
+      } else {
+        await this.startDeepLinkFlow();
+      }
+    } catch (err) {
+      this.fail(err instanceof Error ? err : new Error("Start failed"));
+    }
+  }
+  stop() {
+    this.terminate(false);
+  }
+  destroy() {
+    this.detachVisibilityRecovery();
+    this.clearBackupCheck();
+    this.transport?.close();
+    this.transport = void 0;
+    this.listeners = {};
+  }
+  /* -------------------- Flow Selection -------------------- */
+  shouldUseWebSocket() {
+    return this.config.forceQRCode || !/Android|iPhone|iPad/i.test(navigator.userAgent);
+  }
+  /* -------------------- WebSocket Flow (QR Code) -------------------- */
+  async startWebSocketFlow() {
+    const relay = await this.fetchRelayUrl();
+    this.transport = new Transport({
+      onOpen: () => {
+        this.transport.send({
+          type: "register",
+          sessionID: this.sessionId,
+          ...this.config
+        });
+        this.stateMachine.transition("awaiting-pair");
+      },
+      onMessage: (msg) => this.handleWebSocketMessage(msg),
+      onError: (err) => {
+        console.error("WebSocket error:", err);
+        this.fail(new Error("WebSocket connection failed"));
+      }
+    });
+    this.transport.connect(relay);
+    await this.emitQRCode();
+  }
+  handleWebSocketMessage(msg) {
+    switch (msg.type) {
+      case "paired":
+        this.stateMachine.transition("paired");
+        this.transport.send({
+          type: "authenticate",
+          sessionID: this.sessionId,
+          ...this.config,
+          url: window.location.href
+        });
+        return;
+      case "phone-auth-success":
+        this.handleAuthSuccess(msg);
+        return;
+      case "phone-terminated":
+        this.fail(new Error("Authentication cancelled on device"));
+        this.restartIfContinuous();
+        return;
+      case "confirmed":
+        this.terminate(true);
+        this.restartIfContinuous();
+        return;
+    }
+  }
+  handleAuthSuccess(msg) {
+    if (!this.sessionKey || !msg.cipher || !msg.nonce) {
+      this.fail(new Error("Invalid authentication payload"));
+      this.restartIfContinuous();
+      return;
+    }
+    try {
+      const decrypted = this.crypto.decryptSymmetric({
+        encrypted: { cipher: msg.cipher, nonce: msg.nonce },
+        keyString: this.sessionKey
+      });
+      if (!decrypted) {
+        this.fail(new Error("Invalid authentication data"));
+        this.restartIfContinuous();
+        return;
+      }
+      const result = JSON.parse(decrypted);
+      this.emit("success", result);
+      this.stateMachine.transition("authenticated");
+      this.transport?.send({
+        type: "confirm",
+        sessionID: this.sessionId
+      });
+    } catch {
+      this.fail(new Error("Failed to decrypt authentication data"));
+      this.restartIfContinuous();
+    }
+  }
+  /* -------------------- Deep Link Flow (Mobile) -------------------- */
+  async startDeepLinkFlow() {
+    await this.fetchRelayUrl();
+    if (this.sessionKey) {
+      storeAuthSession(this.sessionId, this.sessionKey, 10 * 6e4);
+    }
+    await this.emitDeepLink();
+    this.stateMachine.transition("awaiting-pair");
+  }
+  clearBackupCheck() {
+    if (this.backupCheckTimeout) {
+      clearTimeout(this.backupCheckTimeout);
+      this.backupCheckTimeout = void 0;
+    }
+  }
+  async checkSession() {
+    const cached = getAuthSession();
+    if (!cached) return;
+    this.stateMachine.transition("awaiting-auth");
+    try {
+      const res = await fetch(
+        `${BASEURL}/session?session_id=${cached.sessionId}`
+      );
+      if (!res.ok) return;
+      const data = await res.json();
+      const decrypted = this.crypto.decryptSymmetric({
+        encrypted: { cipher: data.cipher, nonce: data.nonce },
+        keyString: cached.sessionKey
+      });
+      if (!decrypted) {
+        console.warn("Failed to decrypt session");
+        return;
+      }
+      const result = JSON.parse(decrypted);
+      this.clearBackupCheck();
+      clearAuthSession();
+      this.emit("success", result);
+      this.stateMachine.transition("authenticated");
+      if (this.config.continuousMode) {
+        setTimeout(() => {
+          this.stateMachine.transition("confirmed");
+          this.start();
+        }, 1500);
+      } else {
+        this.stateMachine.transition("confirmed");
+      }
+    } catch (err) {
+      console.debug("Session check failed:", err);
+    }
+  }
+  /* -------------------- Entry Point Generation -------------------- */
+  async emitQRCode() {
+    const payload = {
+      sessionID: this.sessionId,
+      sessionKey: this.sessionKey,
+      publicKey: this.config.publicKey,
+      authType: this.config.authType,
+      projectId: this.config.projectId,
+      url: window.location.href
+    };
+    const qr = await QRCode__default.default.toDataURL(JSON.stringify(payload), {
+      type: "image/png",
+      scale: 3,
+      color: { light: "#ffffff", dark: "#424242ff" }
+    });
+    this.emit("qr", qr);
+  }
+  async emitDeepLink() {
+    const deeplink = `pelicanvault://auth/deep-link?sessionID=${encodeURIComponent(
+      this.sessionId
+    )}&sessionKey=${encodeURIComponent(
+      this.sessionKey
+    )}&publicKey=${encodeURIComponent(this.config.publicKey)}&authType=${this.config.authType}&projectId=${encodeURIComponent(
+      this.config.projectId
+    )}&url=${encodeURIComponent(window.location.href)}`;
+    this.emit("deeplink", deeplink);
+  }
+  /* -------------------- Visibility Recovery -------------------- */
+  attachVisibilityRecovery() {
+    this.visibilityHandler = async () => {
+      if (document.visibilityState !== "visible") return;
+      if (this.useWebSocket) return;
+      await this.checkSession();
+    };
+    document.addEventListener("visibilitychange", this.visibilityHandler);
+  }
+  detachVisibilityRecovery() {
+    if (this.visibilityHandler) {
+      document.removeEventListener("visibilitychange", this.visibilityHandler);
+      this.visibilityHandler = void 0;
+    }
+  }
+  /* -------------------- Helpers -------------------- */
+  async fetchRelayUrl() {
+    const { publicKey, projectId, authType } = this.config;
+    const res = await fetch(
+      `${BASEURL}/relay?public_key=${publicKey}&auth_type=${authType}&project_id=${projectId}`
+    );
+    if (!res.ok) {
+      const error = await res.text();
+      throw new Error(error);
+    }
+    const json = await res.json();
+    return json.relay_url;
+  }
+  terminate(success) {
+    this.clearBackupCheck();
+    if (this.transport) {
+      if (!success) {
+        this.transport.send({
+          type: "client-terminated",
+          sessionID: this.sessionId,
+          projectId: this.config.projectId,
+          publicKey: this.config.publicKey,
+          authType: this.config.authType
+        });
+      }
+      this.transport.close();
+      this.transport = void 0;
+    }
+    clearAuthSession();
+    this.resetSession();
+    if (!this.config.continuousMode) {
+      this.detachVisibilityRecovery();
+    }
+    this.stateMachine.transition(success ? "confirmed" : "idle");
+  }
+  restartIfContinuous() {
+    if (!this.config.continuousMode) return;
+    this.clearBackupCheck();
+    this.transport?.close();
+    this.transport = void 0;
+    this.stateMachine.transition("idle");
+    setTimeout(() => {
+      this.start();
+    }, 150);
+  }
+  resetSession() {
+    this.sessionId = "";
+    this.sessionKey = null;
+  }
+  emit(event, payload) {
+    this.listeners[event]?.forEach((cb) => cb(payload));
+  }
+  fail(err) {
+    this.emit("error", err);
+    this.stateMachine.transition("error");
+  }
+};
+
+exports.BASEURL = BASEURL;
+exports.CryptoService = CryptoService;
+exports.PelicanAuthentication = PelicanAuthentication;
+exports.StateMachine = StateMachine;
+exports.Transport = Transport;
+exports.clearAllAuthData = clearAllAuthData;
+exports.clearAuthSession = clearAuthSession;
+exports.getAuthSession = getAuthSession;
+exports.storeAuthSession = storeAuthSession;
+//# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map