@pmate/account-sdk 0.6.0 → 0.6.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pmate/account-sdk",
-  "version": "0.6.0",
+  "version": "0.6.1",
   "type": "module",
   "files": [
     "src",
@@ -8,38 +8,52 @@
     "!src/tests/**"
   ],
   "exports": {
-    ".": "./src/index.ts"
+    ".": "./src/index.ts",
+    "./node": "./src/node/index.ts"
   },
   "publishConfig": {
     "access": "public"
   },
+  "scripts": {
+    "npm:publish": "npm publish --registry https://registry.npmjs.org/",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  },
   "peerDependencies": {
     "jotai": "*",
     "jotai-family": "*",
     "react": "*"
   },
+  "peerDependenciesMeta": {
+    "jotai": {
+      "optional": true
+    },
+    "jotai-family": {
+      "optional": true
+    },
+    "react": {
+      "optional": true
+    }
+  },
   "dependencies": {
+    "@pmate/lang": "^1.0.2",
+    "@pmate/meta": "^1.1.3",
+    "@pmate/service-core": "^1.0.0",
+    "@pmate/utils": "^1.0.3",
     "browser-image-compression": "^2.0.2",
+    "elysia": "^1.4.19",
     "i18next": "^23.0.0",
     "react-i18next": "^13.0.0",
-    "react-use": "^17.6.0",
-    "@pmate/lang": "1.0.2",
-    "@pmate/utils": "1.0.3",
-    "@pmate/meta": "1.1.3"
+    "react-use": "^17.6.0"
   },
   "devDependencies": {
-    "@types/react": "*",
-    "@types/react-dom": "*",
+    "@types/react": "catalog:",
+    "@types/react-dom": "catalog:",
     "@vitejs/plugin-react": "^4.2.1",
     "jsdom": "^26.1.0",
     "react-dom": "*",
     "typescript": "^5.2.2",
-    "vite": "^7.3.1",
+    "vite": "catalog:",
     "vitest": "^4.0.17"
-  },
-  "scripts": {
-    "npm:publish": "npm publish --registry https://registry.npmjs.org/",
-    "test": "vitest run",
-    "test:watch": "vitest"
   }
-}
+}

package/src/atoms/appConfigAtom.ts

@@ -0,0 +1,24 @@
+import { atom, type Atom } from "jotai"
+import { atomFamily, type AtomFamily } from "jotai-family"
+import { DEFAULT_APP_ID } from "../constants"
+import { AppService } from "../api/AppService"
+import type { AppConfig } from "../types/app"
+import { resolveAppId } from "../utils/resolveAppId"
+
+export const resolveAppConfigId = (app?: string | null) => {
+  return resolveAppId(app ?? DEFAULT_APP_ID)
+}
+
+type AppConfigAtomFamily = AtomFamily<string, Atom<Promise<AppConfig>>>
+
+export const appConfigAtom: AppConfigAtomFamily = atomFamily((appId: string) =>
+  atom(async () => {
+    return AppService.getAppConfig(appId)
+  })
+)
+
+export const clearAppConfigAtoms = () => {
+  for (const appId of appConfigAtom.getParams()) {
+    appConfigAtom.remove(appId)
+  }
+}

package/src/atoms/index.ts

@@ -1,4 +1,5 @@
 export * from "./uploadAvatarAtom"
+export * from "./appConfigAtom"
 export * from "./accountAtom"
 export * from "./accountProfileAtom"
 export * from "./switchProfileAtom"

package/src/components/AuthProviderV2.tsx

@@ -6,7 +6,6 @@ import {
   PropsWithChildren,
   useCallback,
   useEffect,
-  useMemo,
   useState,
 } from "react"
 import { useAuthSnapshot } from "../hooks/useAuthSnapshot"
@@ -61,8 +60,8 @@ const getAuthBehaviors = (
   })
   const authBehavior =
     matchedAuthRoute && typeof matchedAuthRoute !== "string"
-      ? (matchedAuthRoute.behavior ?? "prompt")
-      : "prompt"
+      ? (matchedAuthRoute.behavior ?? "redirect")
+      : "redirect"
   const requiresAuth = Boolean(matchedAuthRoute)
   return {
     authBehavior,
@@ -76,7 +75,6 @@ type AuthProviderV2Props = PropsWithChildren<{
   onLoginSuccess?: () => void | Promise<void>
   rtcProvider?: React.ComponentType<{ children: React.ReactNode }>
   pathname?: string
-  navigate?: (to: string, options?: { replace?: boolean }) => void
 }>
 
 const useWindowPathname = () => {
@@ -94,22 +92,9 @@ export const AuthProviderV2 = ({
   authRoutes,
   rtcProvider: RtcProvider,
   pathname: pathnameProp,
-  navigate: navigateProp,
   children,
 }: AuthProviderV2Props) => {
   const pathname = pathnameProp ?? useWindowPathname()
-  const navigate = useMemo(() => {
-    if (navigateProp) {
-      return navigateProp
-    }
-    return (to: string, options?: { replace?: boolean }) => {
-      if (options?.replace) {
-        window.location.replace(to)
-        return
-      }
-      window.location.assign(to)
-    }
-  }, [navigateProp])
   const [isLoginPromptOpen, setIsLoginPromptOpen] = useState(false)
   const [isLoginErrorDismissed, setIsLoginErrorDismissed] = useState(false)
   const setAccountSnapshot = useSetAtom(accountAtom)
@@ -251,7 +236,7 @@ export const AuthProviderV2 = ({
   }
   const RtcWrapper = RtcProvider ?? (({ children }) => <>{children}</>)
   return (
-    <AuthErrorBoundary navigate={navigate}>
+    <AuthErrorBoundary app={app}>
       <RtcWrapper>{children}</RtcWrapper>
     </AuthErrorBoundary>
   )
@@ -297,15 +282,15 @@ class AuthErrorBoundaryInner extends Component<
 
 const AuthErrorBoundary = ({
   children,
-  navigate,
+  app,
 }: PropsWithChildren<{
-  navigate: (to: string, options?: { replace?: boolean }) => void
+  app: string
 }>) => {
   const logout = useSetAtom(userLogoutAtom)
   const handleAuthError = useCallback(async () => {
     await logout()
-    navigate("/login", { replace: true })
-  }, [logout, navigate])
+    Redirect.toLogin(app)
+  }, [app, logout])
 
   return (
     <AuthErrorBoundaryInner onAuthError={handleAuthError}>

package/src/hooks/useAppConfig.ts

@@ -1,8 +1,7 @@
 import { useEffect, useState } from "react"
+import { resolveAppConfigId } from "../atoms/appConfigAtom"
 import { AppService } from "../api/AppService"
-import { DEFAULT_APP_ID } from "../constants"
 import type { AppConfig } from "../types/app"
-import { resolveAppId } from "../utils/resolveAppId"
 
 type AppConfigState = {
   appConfig: AppConfig | null
@@ -11,7 +10,7 @@ type AppConfigState = {
 }
 
 export const useAppConfig = (app?: string | null): AppConfigState => {
-  const resolvedApp = resolveAppId(app ?? DEFAULT_APP_ID)
+  const resolvedApp = resolveAppConfigId(app)
   const [state, setState] = useState<AppConfigState>({
     appConfig: null,
     isLoading: true,
@@ -21,17 +20,25 @@ export const useAppConfig = (app?: string | null): AppConfigState => {
   useEffect(() => {
     let active = true
     setState({ appConfig: null, isLoading: true, error: null })
+
     AppService.getAppConfig(resolvedApp)
       .then((appConfig) => {
-        if (!active) return
+        if (!active) {
+          return
+        }
         setState({ appConfig, isLoading: false, error: null })
       })
       .catch((error: unknown) => {
-        if (!active) return
+        if (!active) {
+          return
+        }
         setState({
           appConfig: null,
           isLoading: false,
-          error: error instanceof Error ? error : new Error("Failed to load app config"),
+          error:
+            error instanceof Error
+              ? error
+              : new Error("Failed to load app config"),
         })
       })
 

package/src/hooks/useProfileStepFlow.ts

@@ -2,8 +2,6 @@ import { useCallback, useMemo } from "react"
 import { isProfileStepType, ProfileStepType } from "../utils/profileStep"
 import { useAppConfig } from "./useAppConfig"
 
-const DEFAULT_CREATE_STEP: ProfileStepType = "learning-language"
-
 type UseProfileStepFlowParams = {
   params: URLSearchParams
 }
@@ -13,7 +11,13 @@ export const useProfileStepFlow = ({
 }: UseProfileStepFlowParams) => {
   const appParam = params.get("app")
   const redirectParam = params.get("redirect")
-  const { appConfig } = useAppConfig(appParam)
+  const { appConfig, error, isLoading } = useAppConfig(appParam)
+  const shouldBlockStep = Boolean(appParam) && isLoading && !appConfig && !error
+
+  // The app registry decides the canonical order of profile steps.
+  // When the config is still loading for an explicit app, we intentionally
+  // block the create flow instead of briefly falling back to a synthetic
+  // default step that does not exist in the app schema.
   const appProfileSteps = useMemo<ProfileStepType[]>(
     () =>
       (appConfig?.profiles ?? [])
@@ -24,15 +28,27 @@ export const useProfileStepFlow = ({
   const stepParam = params.get("step")
   const normalizedStep: ProfileStepType | null =
     appProfileSteps.find((item) => item === stepParam) ?? null
-  const defaultStep: ProfileStepType = appProfileSteps[0] ?? DEFAULT_CREATE_STEP
-  const activeStep: ProfileStepType = normalizedStep ?? defaultStep
+
+  // step=... wins when it is valid for the current app.
+  // Otherwise we use the first configured step. If the app does not declare
+  // any profile schema, create-profile should stay unavailable instead of
+  // inventing a fallback step.
+  const defaultStep: ProfileStepType | null = shouldBlockStep
+    ? null
+    : (appProfileSteps[0] ?? null)
+  const activeStep: ProfileStepType | null = normalizedStep ?? defaultStep
+
+  // createSteps stays empty while we intentionally block rendering.
+  // Once app config is ready, it mirrors the registry schema order exactly.
   const createSteps = useMemo<ProfileStepType[]>(() => {
-    return appProfileSteps.length > 0 ? appProfileSteps : [DEFAULT_CREATE_STEP]
-  }, [appProfileSteps])
-  const currentStepIndex = createSteps.indexOf(activeStep)
+    return shouldBlockStep ? [] : appProfileSteps
+  }, [appProfileSteps, shouldBlockStep])
+  const currentStepIndex =
+    activeStep === null ? -1 : createSteps.indexOf(activeStep)
   const nextStep =
     currentStepIndex >= 0 ? createSteps[currentStepIndex + 1] : undefined
-  const isCreateFlowStep = createSteps.includes(activeStep)
+  const isCreateFlowStep =
+    activeStep === null ? false : createSteps.includes(activeStep)
   const buildStepUrl = useCallback(
     (next: ProfileStepType) => {
       const search = new URLSearchParams()
@@ -53,7 +69,10 @@ export const useProfileStepFlow = ({
     appProfileSteps,
     buildStepUrl,
     createSteps,
+    error,
+    isLoading,
     isCreateFlowStep,
+    isReady: activeStep !== null,
     nextStep,
   }
 }

package/src/node/index.ts

@@ -0,0 +1,271 @@
+import type {
+  AccountViewResult,
+  AuthSession,
+  AuthzCheckResult,
+  RoleBinding,
+  ServerResponse,
+} from "@pmate/meta"
+import { BizErrorCode } from "@pmate/meta"
+import { ServiceError } from "@pmate/service-core"
+import { Elysia } from "elysia"
+
+export type AuthenticatedAccount = {
+  token: string
+  accountId: string
+  session: AuthSession
+}
+
+export type AuthClientLike = {
+  authenticateRequest(request: Request): Promise<AuthenticatedAccount>
+  checkAuthorization(
+    request: Request,
+    input: { account?: string; namespace: string; roles: string[] }
+  ): Promise<AuthzCheckResult>
+  getAccountView(
+    request: Request,
+    query: { account?: string; mobile?: string; nickName?: string }
+  ): Promise<AccountViewResult>
+  listRoleBindings(
+    request: Request,
+    query: { account?: string; namespace?: string }
+  ): Promise<RoleBinding[]>
+  createRoleBinding(
+    request: Request,
+    input: { account: string; namespace: string; role: string; source?: string }
+  ): Promise<RoleBinding>
+}
+
+export class AuthClient implements AuthClientLike {
+  private readonly authApiBaseUrl: string
+  private readonly fetchImpl: typeof fetch
+
+  constructor(options: { authApiBaseUrl?: string; fetchImpl?: typeof fetch } = {}) {
+    this.authApiBaseUrl = (
+      options.authApiBaseUrl ||
+      process.env.AUTH_API_BASE_URL ||
+      "https://auth-api-v2.pmate.chat"
+    ).replace(/\/+$/, "")
+    this.fetchImpl = options.fetchImpl ?? fetch
+  }
+
+  async authenticateRequest(request: Request): Promise<AuthenticatedAccount> {
+    const token = extractBearerToken(request.headers.get("authorization"))
+    const session = await authRequest<AuthSession | null>(
+      this.fetchImpl,
+      this.authApiBaseUrl,
+      "/session",
+      {
+        method: "GET",
+        token,
+      }
+    )
+    if (!session?.identity?.accountId) {
+      throw new ServiceError("Unauthorized", 401, BizErrorCode.AUTH_ERROR)
+    }
+    return {
+      token,
+      accountId: session.identity.accountId,
+      session,
+    }
+  }
+
+  async checkAuthorization(
+    request: Request,
+    input: { account?: string; namespace: string; roles: string[] }
+  ) {
+    const auth = await this.authenticateRequest(request)
+    return authRequest<AuthzCheckResult>(
+      this.fetchImpl,
+      this.authApiBaseUrl,
+      "/authz/check",
+      {
+        method: "POST",
+        token: auth.token,
+        body: JSON.stringify({
+          account: input.account ?? auth.accountId,
+          namespace: input.namespace,
+          roles: input.roles,
+        }),
+      }
+    )
+  }
+
+  async getAccountView(
+    request: Request,
+    query: { account?: string; mobile?: string; nickName?: string }
+  ) {
+    const auth = await this.authenticateRequest(request)
+    const url = new URL(`${this.authApiBaseUrl}/accounts/view`)
+    if (query.account) url.searchParams.set("account", query.account)
+    if (query.mobile) url.searchParams.set("mobile", query.mobile)
+    if (query.nickName) url.searchParams.set("nickName", query.nickName)
+    return authRequest<AccountViewResult>(this.fetchImpl, this.authApiBaseUrl, url, {
+      method: "GET",
+      token: auth.token,
+    })
+  }
+
+  async listRoleBindings(
+    request: Request,
+    query: { account?: string; namespace?: string }
+  ) {
+    const auth = await this.authenticateRequest(request)
+    const url = new URL(`${this.authApiBaseUrl}/role/bindings`)
+    if (query.account) url.searchParams.set("account", query.account)
+    if (query.namespace) url.searchParams.set("namespace", query.namespace)
+    return authRequest<RoleBinding[]>(this.fetchImpl, this.authApiBaseUrl, url, {
+      method: "GET",
+      token: auth.token,
+    })
+  }
+
+  async createRoleBinding(
+    request: Request,
+    input: { account: string; namespace: string; role: string; source?: string }
+  ) {
+    const auth = await this.authenticateRequest(request)
+    return authRequest<RoleBinding>(
+      this.fetchImpl,
+      this.authApiBaseUrl,
+      "/role/bindings",
+      {
+        method: "POST",
+        token: auth.token,
+        body: JSON.stringify(input),
+      }
+    )
+  }
+}
+
+export function createAccountAuthPlugin(options: {
+  authApiBaseUrl?: string
+  fetchImpl?: typeof fetch
+} = {}) {
+  const client = new AuthClient(options)
+  return new Elysia({ name: "pmate-account-auth" }).decorate(
+    "accountAuthClient",
+    client
+  )
+}
+
+export function requireAuth(
+  client: AuthClientLike,
+  options: {
+    namespace?:
+      | string
+      | ((context: {
+          request: Request
+          params?: Record<string, string | undefined>
+          query?: Record<string, unknown>
+          body?: unknown
+        }) => string | Promise<string>)
+    roles?: string[]
+  } = {}
+) {
+  return {
+    beforeHandle: async (context: {
+      request: Request
+      params?: Record<string, string | undefined>
+      query?: Record<string, unknown>
+      body?: unknown
+    }) => {
+      if (context.request.method.toUpperCase() === "OPTIONS") {
+        return
+      }
+
+      const auth = await client.authenticateRequest(context.request)
+      let namespace: string | undefined
+      let matchedRole: string | undefined
+      if (options.roles?.length) {
+        namespace =
+          typeof options.namespace === "function"
+            ? await options.namespace(context)
+            : options.namespace
+        if (!namespace) {
+          throw new ServiceError(
+            "Namespace is required for role authorization",
+            500,
+            BizErrorCode.AUTH_ERROR
+          )
+        }
+        const result = await client.checkAuthorization(context.request, {
+          account: auth.accountId,
+          namespace,
+          roles: options.roles,
+        })
+        if (!result.allowed) {
+          throw new ServiceError("Forbidden", 403, BizErrorCode.AUTH_ERROR)
+        }
+        matchedRole = result.matchedRole
+      }
+
+      const authContext = {
+        ...auth,
+        ...(namespace ? { namespace } : {}),
+        ...(matchedRole ? { matchedRole } : {}),
+      }
+      ;(context as Record<string, unknown>).auth = authContext
+      ;(context.request as Request & { auth?: typeof authContext }).auth =
+        authContext
+    },
+  }
+}
+
+type AuthRequestInit = RequestInit & { token?: string }
+
+async function authRequest<T>(
+  fetchImpl: typeof fetch,
+  authApiBaseUrl: string,
+  path: string | URL,
+  init: AuthRequestInit
+): Promise<T> {
+  const { token, headers, ...rest } = init
+  const url =
+    path instanceof URL
+      ? path.toString()
+      : `${authApiBaseUrl}${path.startsWith("/") ? path : `/${path}`}`
+  const response = await fetchImpl(url, {
+    ...rest,
+    headers: {
+      "Content-Type": "application/json",
+      ...(token ? { Authorization: `Bearer ${token}` } : {}),
+      ...(headers ?? {}),
+    },
+  })
+
+  let json: ServerResponse<T> | null = null
+  try {
+    json = (await response.json()) as ServerResponse<T>
+  } catch {
+    json = null
+  }
+
+  if (!response.ok || !json?.success) {
+    throw new ServiceError(
+      json?.message || response.statusText || "Request failed",
+      response.status || 500,
+      BizErrorCode.AUTH_ERROR
+    )
+  }
+
+  return json.data
+}
+
+function extractBearerToken(header: string | null) {
+  if (!header) {
+    throw new ServiceError(
+      "Missing authorization header",
+      401,
+      BizErrorCode.AUTH_ERROR
+    )
+  }
+  const match = header.match(/^Bearer\s+(.+)$/i)
+  if (!match) {
+    throw new ServiceError(
+      "Invalid authorization header",
+      401,
+      BizErrorCode.AUTH_ERROR
+    )
+  }
+  return match[1].trim()
+}

package/src/utils/AccountManagerV2.ts

@@ -216,6 +216,9 @@ export class AccountManagerV2 extends EmitterV2<AccountManagerEventMap> {
   }
 
   public clearSelectedProfile(): void {
+    if (!getSelectedProfileId(this.app)) {
+      return
+    }
     clearSelectedProfileId(this.app)
     this.emit(AccountManagerEvent.StateChange)
   }