@reauth-dev/sdk 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Emil Suleymanov <emil@esnx.xyz>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,252 @@
+# @reauth-dev/sdk
+
+TypeScript SDK for [reauth.dev](https://reauth.dev) - passwordless authentication for your apps.
+
+## Installation
+
+```bash
+npm install @reauth-dev/sdk
+# or
+pnpm add @reauth-dev/sdk
+# or
+yarn add @reauth-dev/sdk
+```
+
+## Quick Start
+
+### React (Next.js)
+
+```typescript
+// app/layout.tsx
+import { AuthProvider } from '@reauth-dev/sdk/react';
+
+export default function RootLayout({ children }) {
+  return (
+    <AuthProvider config={{ domain: 'yourdomain.com' }}>
+      {children}
+    </AuthProvider>
+  );
+}
+
+// app/dashboard/page.tsx
+import { ProtectedRoute, useAuthContext } from '@reauth-dev/sdk/react';
+
+export default function Dashboard() {
+  return (
+    <ProtectedRoute>
+      <DashboardContent />
+    </ProtectedRoute>
+  );
+}
+
+function DashboardContent() {
+  const { user, logout } = useAuthContext();
+
+  return (
+    <div>
+      <h1>Welcome, {user?.email}</h1>
+      <button onClick={logout}>Sign out</button>
+    </div>
+  );
+}
+```
+
+### Vanilla JavaScript
+
+```typescript
+import { createReauthClient } from '@reauth-dev/sdk';
+
+const reauth = createReauthClient({ domain: 'yourdomain.com' });
+
+// Check if authenticated
+const session = await reauth.getSession();
+if (!session.valid) {
+  reauth.login(); // Redirect to login
+}
+
+// Log out
+await reauth.logout();
+```
+
+### Server-Side (API Routes)
+
+```typescript
+// Next.js API Route
+import { createServerClient } from '@reauth-dev/sdk/server';
+import { NextRequest, NextResponse } from 'next/server';
+
+const reauth = createServerClient({ domain: 'yourdomain.com' });
+
+export async function GET(request: NextRequest) {
+  const user = await reauth.getUser(request.headers.get('cookie') || '');
+
+  if (!user) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  return NextResponse.json({ user });
+}
+```
+
+## How It Works
+
+reauth.dev handles the entire login flow. Your app just needs to:
+
+1. **Redirect to login** - Send users to `https://reauth.yourdomain.com`
+2. **Check session** - Verify authentication via the session endpoint
+3. **Handle logout** - Clear session cookies
+
+```
+User clicks "Sign in" → Redirect to reauth.yourdomain.com
+→ reauth handles email + magic link → User authenticates
+→ Redirect back to your app with cookies set
+→ Your app checks /auth/session → User info returned
+```
+
+## API Reference
+
+### Browser Client
+
+```typescript
+import { createReauthClient } from '@reauth-dev/sdk';
+
+const reauth = createReauthClient({ domain: 'yourdomain.com' });
+
+// Redirect to login page
+reauth.login();
+
+// Check authentication status
+const session = await reauth.getSession();
+// Returns: { valid, end_user_id, email, roles, waitlist_position, error, error_code }
+
+// Refresh access token (when session.valid === false)
+const success = await reauth.refresh();
+
+// Log out
+await reauth.logout();
+
+// Delete account (self-service)
+const deleted = await reauth.deleteAccount();
+```
+
+### Server Client
+
+```typescript
+import { createServerClient } from '@reauth-dev/sdk/server';
+
+const reauth = createServerClient({ domain: 'yourdomain.com' });
+
+// Get raw session data
+const session = await reauth.getSession(cookieHeader);
+
+// Get user object (or null if not authenticated)
+const user = await reauth.getUser(cookieHeader);
+// Returns: { id, email, roles } | null
+```
+
+### React Components
+
+```typescript
+import { AuthProvider, useAuthContext, useAuth, ProtectedRoute } from '@reauth-dev/sdk/react';
+
+// AuthProvider - Wrap your app
+<AuthProvider config={{ domain: 'yourdomain.com' }}>
+  {children}
+</AuthProvider>
+
+// useAuthContext - Access auth state
+const { user, loading, error, isOnWaitlist, waitlistPosition, login, logout, refetch } = useAuthContext();
+
+// useAuth - Standalone hook (without provider)
+const auth = useAuth({ domain: 'yourdomain.com' });
+
+// ProtectedRoute - Protect pages
+<ProtectedRoute fallback={<Loading />} onWaitlist={() => router.push('/waitlist')}>
+  <ProtectedContent />
+</ProtectedRoute>
+```
+
+## Types
+
+```typescript
+type ReauthSession = {
+  valid: boolean;
+  end_user_id: string | null;
+  email: string | null;
+  roles: string[] | null;
+  waitlist_position: number | null;
+  error: string | null;
+  error_code: 'ACCOUNT_SUSPENDED' | null;
+};
+
+type User = {
+  id: string;
+  email: string;
+  roles: string[];
+};
+
+type ReauthConfig = {
+  domain: string;
+};
+```
+
+## Handling Edge Cases
+
+### Token Refresh
+
+```typescript
+const session = await reauth.getSession();
+
+if (!session.valid && !session.error_code) {
+  // Access token expired, try refresh
+  const refreshed = await reauth.refresh();
+  if (refreshed) {
+    const newSession = await reauth.getSession();
+    // Continue with newSession
+  } else {
+    // Refresh token also expired, redirect to login
+    reauth.login();
+  }
+}
+```
+
+### Waitlist
+
+```typescript
+if (session.valid && session.waitlist_position) {
+  // User authenticated but on waitlist
+  // Show waitlist page with position
+  console.log(`Position: #${session.waitlist_position}`);
+}
+```
+
+### Account Suspended
+
+```typescript
+if (session.error_code === 'ACCOUNT_SUSPENDED') {
+  // Show suspended message
+  // User cannot access app until admin unfreezes
+}
+```
+
+## Prerequisites
+
+1. **Verify your domain** on [reauth.dev](https://reauth.dev)
+2. **Set redirect URL** (where users go after login)
+3. **Enable magic link auth** in domain settings
+
+## Cookies
+
+reauth.dev sets these cookies on `.yourdomain.com`:
+
+| Cookie | Purpose | Expiry |
+|--------|---------|--------|
+| `end_user_access_token` | Auth token (HttpOnly) | 24 hours |
+| `end_user_refresh_token` | Token renewal (HttpOnly) | 30 days |
+| `end_user_email` | Display email | 30 days |
+
+All cookies require HTTPS.
+
+## License
+
+MIT

package/dist/chunk-JX2J36FS.mjs

@@ -0,0 +1,269 @@
+// src/client.ts
+function createReauthClient(config) {
+  const { domain } = config;
+  const baseUrl = `https://reauth.${domain}/api/public`;
+  return {
+    /**
+     * Redirect the user to the reauth.dev login page.
+     * After successful login, they'll be redirected back to your configured redirect URL.
+     */
+    login() {
+      if (typeof window === "undefined") {
+        throw new Error("login() can only be called in browser");
+      }
+      window.location.href = `https://reauth.${domain}/`;
+    },
+    /**
+     * Check if the user is authenticated.
+     * Returns session info including user ID, email, and roles.
+     */
+    async getSession() {
+      const res = await fetch(`${baseUrl}/auth/session`, {
+        credentials: "include"
+      });
+      return res.json();
+    },
+    /**
+     * Refresh the access token using the refresh token.
+     * Call this when getSession() returns valid: false but no error_code.
+     * @returns true if refresh succeeded, false otherwise
+     */
+    async refresh() {
+      const res = await fetch(`${baseUrl}/auth/refresh`, {
+        method: "POST",
+        credentials: "include"
+      });
+      return res.ok;
+    },
+    /**
+     * Get an access token for Bearer authentication.
+     * Use this when calling your own API that uses local token verification.
+     *
+     * @returns TokenResponse with access token, or null if not authenticated
+     *
+     * @example
+     * ```typescript
+     * const tokenResponse = await reauth.getToken();
+     * if (tokenResponse) {
+     *   fetch('/api/data', {
+     *     headers: { Authorization: `Bearer ${tokenResponse.accessToken}` }
+     *   });
+     * }
+     * ```
+     */
+    async getToken() {
+      try {
+        const res = await fetch(`${baseUrl}/auth/token`, {
+          method: "GET",
+          credentials: "include"
+        });
+        if (!res.ok) {
+          if (res.status === 401) return null;
+          throw new Error(`Failed to get token: ${res.status}`);
+        }
+        const data = await res.json();
+        return {
+          accessToken: data.access_token,
+          expiresIn: data.expires_in,
+          tokenType: data.token_type
+        };
+      } catch {
+        return null;
+      }
+    },
+    /**
+     * Log out the user by clearing all session cookies.
+     */
+    async logout() {
+      await fetch(`${baseUrl}/auth/logout`, {
+        method: "POST",
+        credentials: "include"
+      });
+    },
+    /**
+     * Delete the user's own account (self-service).
+     * @returns true if deletion succeeded, false otherwise
+     */
+    async deleteAccount() {
+      const res = await fetch(`${baseUrl}/auth/account`, {
+        method: "DELETE",
+        credentials: "include"
+      });
+      return res.ok;
+    },
+    // ========================================================================
+    // Billing Methods
+    // ========================================================================
+    /**
+     * Get available subscription plans for the domain.
+     * Only returns public plans sorted by display order.
+     */
+    async getPlans() {
+      const res = await fetch(`${baseUrl}/billing/plans`, {
+        credentials: "include"
+      });
+      if (!res.ok) return [];
+      const data = await res.json();
+      return data.map(
+        (p) => ({
+          id: p.id,
+          code: p.code,
+          name: p.name,
+          description: p.description,
+          priceCents: p.price_cents,
+          currency: p.currency,
+          interval: p.interval,
+          intervalCount: p.interval_count,
+          trialDays: p.trial_days,
+          features: p.features,
+          displayOrder: p.display_order
+        })
+      );
+    },
+    /**
+     * Get the current user's subscription status.
+     */
+    async getSubscription() {
+      const res = await fetch(`${baseUrl}/billing/subscription`, {
+        credentials: "include"
+      });
+      const data = await res.json();
+      return {
+        id: data.id,
+        planCode: data.plan_code,
+        planName: data.plan_name,
+        status: data.status,
+        currentPeriodEnd: data.current_period_end,
+        trialEnd: data.trial_end,
+        cancelAtPeriodEnd: data.cancel_at_period_end
+      };
+    },
+    /**
+     * Create a Stripe checkout session to subscribe to a plan.
+     * @param planCode The plan code to subscribe to
+     * @param successUrl URL to redirect to after successful payment
+     * @param cancelUrl URL to redirect to if checkout is canceled
+     * @returns Checkout session with URL to redirect the user to
+     */
+    async createCheckout(planCode, successUrl, cancelUrl) {
+      const res = await fetch(`${baseUrl}/billing/checkout`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include",
+        body: JSON.stringify({
+          plan_code: planCode,
+          success_url: successUrl,
+          cancel_url: cancelUrl
+        })
+      });
+      if (!res.ok) {
+        const err = await res.json().catch(() => ({}));
+        throw new Error(err.message || "Failed to create checkout session");
+      }
+      const data = await res.json();
+      return { checkoutUrl: data.checkout_url };
+    },
+    /**
+     * Redirect user to subscribe to a plan.
+     * Creates a checkout session and redirects to Stripe.
+     * @param planCode The plan code to subscribe to
+     */
+    async subscribe(planCode) {
+      if (typeof window === "undefined") {
+        throw new Error("subscribe() can only be called in browser");
+      }
+      const currentUrl = window.location.href;
+      const { checkoutUrl } = await this.createCheckout(
+        planCode,
+        currentUrl,
+        currentUrl
+      );
+      window.location.href = checkoutUrl;
+    },
+    /**
+     * Open the Stripe customer portal for managing subscription.
+     * @param returnUrl URL to return to after leaving the portal
+     */
+    async openBillingPortal(returnUrl) {
+      if (typeof window === "undefined") {
+        throw new Error("openBillingPortal() can only be called in browser");
+      }
+      const res = await fetch(`${baseUrl}/billing/portal`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include",
+        body: JSON.stringify({
+          return_url: returnUrl || window.location.href
+        })
+      });
+      if (!res.ok) {
+        throw new Error("Failed to open billing portal");
+      }
+      const data = await res.json();
+      window.location.href = data.portal_url;
+    },
+    /**
+     * Cancel the user's subscription at period end.
+     * @returns true if cancellation succeeded
+     */
+    async cancelSubscription() {
+      const res = await fetch(`${baseUrl}/billing/cancel`, {
+        method: "POST",
+        credentials: "include"
+      });
+      return res.ok;
+    },
+    // ========================================================================
+    // Balance Methods
+    // ========================================================================
+    /**
+     * Get the current user's balance.
+     * @returns Object with the current balance
+     */
+    async getBalance() {
+      const res = await fetch(`${baseUrl}/balance`, {
+        credentials: "include"
+      });
+      if (!res.ok) {
+        if (res.status === 401) throw new Error("Not authenticated");
+        throw new Error(`Failed to get balance: ${res.status}`);
+      }
+      return res.json();
+    },
+    /**
+     * Get the current user's balance transaction history.
+     * @param opts - Optional pagination (limit, offset)
+     * @returns Object with array of transactions (newest first)
+     */
+    async getTransactions(opts) {
+      const params = new URLSearchParams();
+      if (opts?.limit !== void 0) params.set("limit", String(opts.limit));
+      if (opts?.offset !== void 0) params.set("offset", String(opts.offset));
+      const qs = params.toString();
+      const res = await fetch(
+        `${baseUrl}/balance/transactions${qs ? `?${qs}` : ""}`,
+        { credentials: "include" }
+      );
+      if (!res.ok) {
+        if (res.status === 401) throw new Error("Not authenticated");
+        throw new Error(`Failed to get transactions: ${res.status}`);
+      }
+      const data = await res.json();
+      return {
+        transactions: data.transactions.map(
+          (t) => ({
+            id: t.id,
+            amountDelta: t.amount_delta,
+            reason: t.reason,
+            balanceAfter: t.balance_after,
+            createdAt: t.created_at
+          })
+        )
+      };
+    }
+  };
+}
+
+export {
+  createReauthClient
+};

package/dist/index.d.mts

@@ -0,0 +1,127 @@
+import { R as ReauthConfig, a as ReauthSession, T as TokenResponse, S as SubscriptionPlan, U as UserSubscription, C as CheckoutSession, b as TransactionsPaginationOptions, B as BalanceTransaction } from './types-D8oOYbeC.mjs';
+export { A as AuthResult, h as ChargeOptions, i as DepositOptions, D as DomainEndUserClaims, e as ReauthServerConfig, f as RequestLike, g as SubscriptionInfo, c as User, d as UserDetails } from './types-D8oOYbeC.mjs';
+
+/**
+ * Create a reauth client for browser-side authentication.
+ *
+ * @example
+ * ```typescript
+ * const reauth = createReauthClient({ domain: 'yourdomain.com' });
+ *
+ * // Check if user is authenticated
+ * const session = await reauth.getSession();
+ * if (!session.valid) {
+ *   reauth.login(); // Redirect to login page
+ * }
+ *
+ * // Log out
+ * await reauth.logout();
+ * ```
+ */
+declare function createReauthClient(config: ReauthConfig): {
+    /**
+     * Redirect the user to the reauth.dev login page.
+     * After successful login, they'll be redirected back to your configured redirect URL.
+     */
+    login(): void;
+    /**
+     * Check if the user is authenticated.
+     * Returns session info including user ID, email, and roles.
+     */
+    getSession(): Promise<ReauthSession>;
+    /**
+     * Refresh the access token using the refresh token.
+     * Call this when getSession() returns valid: false but no error_code.
+     * @returns true if refresh succeeded, false otherwise
+     */
+    refresh(): Promise<boolean>;
+    /**
+     * Get an access token for Bearer authentication.
+     * Use this when calling your own API that uses local token verification.
+     *
+     * @returns TokenResponse with access token, or null if not authenticated
+     *
+     * @example
+     * ```typescript
+     * const tokenResponse = await reauth.getToken();
+     * if (tokenResponse) {
+     *   fetch('/api/data', {
+     *     headers: { Authorization: `Bearer ${tokenResponse.accessToken}` }
+     *   });
+     * }
+     * ```
+     */
+    getToken(): Promise<TokenResponse | null>;
+    /**
+     * Log out the user by clearing all session cookies.
+     */
+    logout(): Promise<void>;
+    /**
+     * Delete the user's own account (self-service).
+     * @returns true if deletion succeeded, false otherwise
+     */
+    deleteAccount(): Promise<boolean>;
+    /**
+     * Get available subscription plans for the domain.
+     * Only returns public plans sorted by display order.
+     */
+    getPlans(): Promise<SubscriptionPlan[]>;
+    /**
+     * Get the current user's subscription status.
+     */
+    getSubscription(): Promise<UserSubscription>;
+    /**
+     * Create a Stripe checkout session to subscribe to a plan.
+     * @param planCode The plan code to subscribe to
+     * @param successUrl URL to redirect to after successful payment
+     * @param cancelUrl URL to redirect to if checkout is canceled
+     * @returns Checkout session with URL to redirect the user to
+     */
+    createCheckout(planCode: string, successUrl: string, cancelUrl: string): Promise<CheckoutSession>;
+    /**
+     * Redirect user to subscribe to a plan.
+     * Creates a checkout session and redirects to Stripe.
+     * @param planCode The plan code to subscribe to
+     */
+    subscribe(planCode: string): Promise<void>;
+    /**
+     * Open the Stripe customer portal for managing subscription.
+     * @param returnUrl URL to return to after leaving the portal
+     */
+    openBillingPortal(returnUrl?: string): Promise<void>;
+    /**
+     * Cancel the user's subscription at period end.
+     * @returns true if cancellation succeeded
+     */
+    cancelSubscription(): Promise<boolean>;
+    /**
+     * Get the current user's balance.
+     * @returns Object with the current balance
+     */
+    getBalance(): Promise<{
+        balance: number;
+    }>;
+    /**
+     * Get the current user's balance transaction history.
+     * @param opts - Optional pagination (limit, offset)
+     * @returns Object with array of transactions (newest first)
+     */
+    getTransactions(opts?: TransactionsPaginationOptions): Promise<{
+        transactions: BalanceTransaction[];
+    }>;
+};
+type ReauthClient = ReturnType<typeof createReauthClient>;
+
+declare enum ReauthErrorCode {
+    /**
+     * OAuth retry window expired. The OAuth flow must be restarted.
+     */
+    OAUTH_RETRY_EXPIRED = "OAUTH_RETRY_EXPIRED"
+}
+type ReauthError = {
+    code: ReauthErrorCode | string;
+    message?: string;
+};
+declare function requiresOAuthRestart(error: ReauthError | null | undefined): boolean;
+
+export { BalanceTransaction, type ReauthClient, ReauthConfig, type ReauthError, ReauthErrorCode, ReauthSession, TokenResponse, TransactionsPaginationOptions, createReauthClient, requiresOAuthRestart };