@reauth-dev/sdk 0.1.0 → 0.3.0

package/dist/react/index.mjs

@@ -1,11 +1,15 @@
 import {
   createReauthClient
-} from "../chunk-JX2J36FS.mjs";
+} from "../chunk-5LFJ5PXQ.mjs";
+import "../chunk-EY5LQCDG.mjs";
 
 // src/react/useAuth.ts
-import { useState, useEffect, useCallback, useMemo } from "react";
+import { useState, useEffect, useCallback, useMemo, useRef } from "react";
+var DEFAULT_REFRESH_INTERVAL_MS = 5 * 60 * 1e3;
 function useAuth(config) {
-  const client = useMemo(() => createReauthClient(config), [config.domain]);
+  const { refreshInterval = DEFAULT_REFRESH_INTERVAL_MS, ...clientConfig } = config;
+  const client = useMemo(() => createReauthClient(clientConfig), [clientConfig.domain]);
+  const isRefreshing = useRef(false);
   const [state, setState] = useState({
     user: null,
     loading: true,
@@ -14,12 +18,15 @@ function useAuth(config) {
     waitlistPosition: null
   });
   const checkSession = useCallback(async () => {
+    if (isRefreshing.current) return;
+    isRefreshing.current = true;
     try {
       let session = await client.getSession();
       if (!session.valid && !session.error_code && !session.end_user_id) {
-        const refreshed = await client.refresh();
-        if (refreshed) {
+        try {
+          await client.refresh();
           session = await client.getSession();
+        } catch {
         }
       }
       if (session.error_code === "ACCOUNT_SUSPENDED") {
@@ -37,7 +44,9 @@ function useAuth(config) {
           user: {
             id: session.end_user_id,
             email: session.email,
-            roles: session.roles || []
+            roles: session.roles || [],
+            activeOrgId: session.active_org_id || "",
+            orgRole: session.org_role || ""
           },
           loading: false,
           error: null,
@@ -51,7 +60,9 @@ function useAuth(config) {
           user: {
             id: session.end_user_id,
             email: session.email,
-            roles: session.roles || []
+            roles: session.roles || [],
+            activeOrgId: session.active_org_id || "",
+            orgRole: session.org_role || ""
           },
           loading: false,
           error: null,
@@ -75,11 +86,20 @@ function useAuth(config) {
         isOnWaitlist: false,
         waitlistPosition: null
       });
+    } finally {
+      isRefreshing.current = false;
     }
   }, [client]);
   useEffect(() => {
     checkSession();
   }, [checkSession]);
+  useEffect(() => {
+    if (refreshInterval <= 0) return;
+    const intervalId = setInterval(() => {
+      checkSession();
+    }, refreshInterval);
+    return () => clearInterval(intervalId);
+  }, [checkSession, refreshInterval]);
   const logout = useCallback(async () => {
     await client.logout();
     setState({
@@ -98,6 +118,131 @@ function useAuth(config) {
   };
 }
 
+// src/react/useHeadlessAuth.ts
+import { useState as useState2, useCallback as useCallback2, useMemo as useMemo2 } from "react";
+function useHeadlessAuth(options) {
+  const client = useMemo2(
+    () => createReauthClient({ domain: options.domain, timeout: options.timeout }),
+    [options.domain, options.timeout]
+  );
+  const [state, setState] = useState2({
+    loading: false,
+    error: null,
+    step: "idle",
+    config: null,
+    verifyResult: null
+  });
+  const getConfig = useCallback2(async () => {
+    setState((s) => ({ ...s, loading: true, error: null }));
+    try {
+      const config = await client.getConfig();
+      setState((s) => ({ ...s, loading: false, config }));
+      return config;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Failed to get config";
+      setState((s) => ({ ...s, loading: false, error: message }));
+      throw err;
+    }
+  }, [client]);
+  const requestMagicLink = useCallback2(
+    async (email) => {
+      setState((s) => ({ ...s, loading: true, error: null }));
+      try {
+        await client.requestMagicLink({
+          email,
+          callbackUrl: options.callbackUrl
+        });
+        setState((s) => ({
+          ...s,
+          loading: false,
+          step: "magic_link_sent"
+        }));
+      } catch (err) {
+        const message = err instanceof Error ? err.message : "Failed to send magic link";
+        setState((s) => ({ ...s, loading: false, error: message }));
+        throw err;
+      }
+    },
+    [client, options.callbackUrl]
+  );
+  const verifyMagicLink = useCallback2(
+    async (token) => {
+      setState((s) => ({ ...s, loading: true, error: null }));
+      try {
+        const result = await client.verifyMagicLink({ token });
+        setState((s) => ({
+          ...s,
+          loading: false,
+          step: "completed",
+          verifyResult: result
+        }));
+        return result;
+      } catch (err) {
+        const message = err instanceof Error ? err.message : "Failed to verify magic link";
+        setState((s) => ({ ...s, loading: false, error: message }));
+        throw err;
+      }
+    },
+    [client]
+  );
+  const startGoogleOAuth = useCallback2(async () => {
+    setState((s) => ({ ...s, loading: true, error: null }));
+    try {
+      const result = await client.startGoogleOAuth();
+      setState((s) => ({
+        ...s,
+        loading: false,
+        step: "google_started"
+      }));
+      if (typeof window !== "undefined") {
+        window.location.href = result.authUrl;
+      }
+      return result;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Failed to start Google OAuth";
+      setState((s) => ({ ...s, loading: false, error: message }));
+      throw err;
+    }
+  }, [client]);
+  const startTwitterOAuth = useCallback2(async () => {
+    setState((s) => ({ ...s, loading: true, error: null }));
+    try {
+      const result = await client.startTwitterOAuth();
+      setState((s) => ({
+        ...s,
+        loading: false,
+        step: "twitter_started"
+      }));
+      if (typeof window !== "undefined") {
+        window.location.href = result.authUrl;
+      }
+      return result;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Failed to start Twitter OAuth";
+      setState((s) => ({ ...s, loading: false, error: message }));
+      throw err;
+    }
+  }, [client]);
+  const reset = useCallback2(() => {
+    setState({
+      loading: false,
+      error: null,
+      step: "idle",
+      config: null,
+      verifyResult: null
+    });
+  }, []);
+  return {
+    ...state,
+    getConfig,
+    requestMagicLink,
+    verifyMagicLink,
+    startGoogleOAuth,
+    startTwitterOAuth,
+    reset
+  };
+}
+
 // src/react/AuthProvider.tsx
 import { createContext, useContext } from "react";
 import { jsx } from "react/jsx-runtime";
@@ -115,7 +260,7 @@ function useAuthContext() {
 }
 
 // src/react/ProtectedRoute.tsx
-import { useEffect as useEffect2 } from "react";
+import { useEffect as useEffect2, useRef as useRef2 } from "react";
 import { Fragment, jsx as jsx2 } from "react/jsx-runtime";
 function ProtectedRoute({
   children,
@@ -124,8 +269,10 @@ function ProtectedRoute({
   onWaitlist
 }) {
   const { user, loading, isOnWaitlist, login } = useAuthContext();
+  const hasRedirected = useRef2(false);
   useEffect2(() => {
-    if (!loading && !user) {
+    if (!loading && !user && !hasRedirected.current) {
+      hasRedirected.current = true;
       if (onUnauthenticated) {
         onUnauthenticated();
       } else {
@@ -134,7 +281,8 @@ function ProtectedRoute({
     }
   }, [loading, user, login, onUnauthenticated]);
   useEffect2(() => {
-    if (!loading && isOnWaitlist && onWaitlist) {
+    if (!loading && isOnWaitlist && onWaitlist && !hasRedirected.current) {
+      hasRedirected.current = true;
       onWaitlist();
     }
   }, [loading, isOnWaitlist, onWaitlist]);
@@ -150,5 +298,6 @@ export {
   AuthProvider,
   ProtectedRoute,
   useAuth,
-  useAuthContext
+  useAuthContext,
+  useHeadlessAuth
 };

package/dist/server.d.mts

@@ -1,5 +1,23 @@
-import { e as ReauthServerConfig, A as AuthResult, f as RequestLike, d as UserDetails, h as ChargeOptions, i as DepositOptions, b as TransactionsPaginationOptions, B as BalanceTransaction } from './types-D8oOYbeC.mjs';
+import { q as ReauthServerConfig, r as AuthResult, s as RequestLike, p as UserDetails, x as ChargeOptions, y as DepositOptions, e as TransactionsPaginationOptions, B as BalanceTransaction } from './types-DKUKhCNE.mjs';
 
+/**
+ * Derives a JWT signing secret from an API key using HKDF-SHA256.
+ * This must match the Rust backend implementation exactly.
+ *
+ * IMPORTANT: Returns hex-encoded string (64 chars), NOT raw bytes.
+ * The Rust API uses the ASCII bytes of the hex string as the JWT secret,
+ * so we must do the same for compatibility.
+ *
+ * @param apiKey - The raw API key (e.g., "sk_live_...")
+ * @param domainId - UUID of the domain (used as salt for domain isolation)
+ * @returns Promise<string> - 64-char hex string (to be used as ASCII bytes for JWT signing)
+ */
+declare function deriveJwtSecret(apiKey: string, domainId: string): Promise<string>;
+/**
+ * Parse cookies from a cookie header string.
+ * Handles URL encoding and multiple cookies properly.
+ */
+declare function parseCookies(cookieHeader: string): Record<string, string>;
 /**
  * Create a reauth client for server-side authentication.
  * Uses local JWT verification for fast, reliable auth checks.
@@ -185,4 +203,4 @@ declare function createServerClient(config: ReauthServerConfig): {
 };
 type ServerClient = ReturnType<typeof createServerClient>;
 
-export { type ServerClient, createServerClient };
+export { type ServerClient, createServerClient, deriveJwtSecret, parseCookies };

package/dist/server.d.ts

@@ -1,5 +1,23 @@
-import { e as ReauthServerConfig, A as AuthResult, f as RequestLike, d as UserDetails, h as ChargeOptions, i as DepositOptions, b as TransactionsPaginationOptions, B as BalanceTransaction } from './types-D8oOYbeC.js';
+import { q as ReauthServerConfig, r as AuthResult, s as RequestLike, p as UserDetails, x as ChargeOptions, y as DepositOptions, e as TransactionsPaginationOptions, B as BalanceTransaction } from './types-DKUKhCNE.js';
 
+/**
+ * Derives a JWT signing secret from an API key using HKDF-SHA256.
+ * This must match the Rust backend implementation exactly.
+ *
+ * IMPORTANT: Returns hex-encoded string (64 chars), NOT raw bytes.
+ * The Rust API uses the ASCII bytes of the hex string as the JWT secret,
+ * so we must do the same for compatibility.
+ *
+ * @param apiKey - The raw API key (e.g., "sk_live_...")
+ * @param domainId - UUID of the domain (used as salt for domain isolation)
+ * @returns Promise<string> - 64-char hex string (to be used as ASCII bytes for JWT signing)
+ */
+declare function deriveJwtSecret(apiKey: string, domainId: string): Promise<string>;
+/**
+ * Parse cookies from a cookie header string.
+ * Handles URL encoding and multiple cookies properly.
+ */
+declare function parseCookies(cookieHeader: string): Record<string, string>;
 /**
  * Create a reauth client for server-side authentication.
  * Uses local JWT verification for fast, reliable auth checks.
@@ -185,4 +203,4 @@ declare function createServerClient(config: ReauthServerConfig): {
 };
 type ServerClient = ReturnType<typeof createServerClient>;
 
-export { type ServerClient, createServerClient };
+export { type ServerClient, createServerClient, deriveJwtSecret, parseCookies };

package/dist/server.js

@@ -30,11 +30,18 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/server.ts
 var server_exports = {};
 __export(server_exports, {
-  createServerClient: () => createServerClient
+  createServerClient: () => createServerClient,
+  deriveJwtSecret: () => deriveJwtSecret,
+  parseCookies: () => parseCookies
 });
 module.exports = __toCommonJS(server_exports);
 var import_crypto = require("crypto");
 var jose = __toESM(require("jose"));
+
+// src/types.ts
+var DEFAULT_TIMEOUT_MS = 1e4;
+
+// src/server.ts
 async function deriveJwtSecret(apiKey, domainId) {
   const salt = Buffer.from(domainId.replace(/-/g, ""), "hex");
   const info = Buffer.from("reauth-jwt-v1");
@@ -45,6 +52,30 @@ async function deriveJwtSecret(apiKey, domainId) {
     });
   });
 }
+var VALID_SUBSCRIPTION_STATUSES = /* @__PURE__ */ new Set([
+  "active",
+  "past_due",
+  "canceled",
+  "trialing",
+  "incomplete",
+  "incomplete_expired",
+  "unpaid",
+  "paused",
+  "none"
+]);
+function isValidClaims(payload) {
+  if (typeof payload.sub !== "string") return false;
+  if (typeof payload.domain_id !== "string") return false;
+  if (typeof payload.domain !== "string") return false;
+  if (typeof payload.active_org_id !== "string") return false;
+  if (typeof payload.org_role !== "string") return false;
+  if (!Array.isArray(payload.roles) || !payload.roles.every((r) => typeof r === "string")) return false;
+  const subscription = payload.subscription;
+  if (typeof subscription !== "object" || subscription === null || Array.isArray(subscription)) return false;
+  const status = subscription.status;
+  if (typeof status !== "string" || !VALID_SUBSCRIPTION_STATUSES.has(status)) return false;
+  return true;
+}
 function transformSubscription(sub) {
   return {
     status: sub.status,
@@ -71,6 +102,10 @@ function parseCookies(cookieHeader) {
 }
 function createServerClient(config) {
   const { domain, apiKey } = config;
+  if (config.timeout !== void 0 && (!Number.isFinite(config.timeout) || config.timeout <= 0)) {
+    throw new Error("timeout must be a positive finite number in milliseconds");
+  }
+  const timeoutMs = config.timeout ?? DEFAULT_TIMEOUT_MS;
   if (!apiKey) {
     throw new Error(
       "apiKey is required for createServerClient. Get one from the Reauth dashboard."
@@ -118,7 +153,11 @@ function createServerClient(config) {
             // 60 seconds clock skew tolerance
           }
         );
-        const claims = payload;
+        const payloadRecord = payload;
+        if (!isValidClaims(payloadRecord)) {
+          return { valid: false, user: null, claims: null, error: "Invalid token claims: missing required fields" };
+        }
+        const claims = payloadRecord;
         if (claims.domain !== domain) {
           return { valid: false, user: null, claims: null, error: "Domain mismatch" };
         }
@@ -127,6 +166,8 @@ function createServerClient(config) {
           user: {
             id: claims.sub,
             roles: claims.roles,
+            activeOrgId: claims.active_org_id,
+            orgRole: claims.org_role,
             subscription: transformSubscription(claims.subscription)
           },
           claims
@@ -241,10 +282,11 @@ function createServerClient(config) {
      * ```
      */
     async getUserById(userId) {
-      const res = await fetch(`${developerBaseUrl}/users/${userId}`, {
+      const res = await fetch(`${developerBaseUrl}/users/${encodeURIComponent(userId)}`, {
         headers: {
           Authorization: `Bearer ${apiKey}`
-        }
+        },
+        signal: AbortSignal.timeout(timeoutMs)
       });
       if (!res.ok) {
         if (res.status === 401) {
@@ -277,16 +319,18 @@ function createServerClient(config) {
      * @returns Object with the current balance
      */
     async getBalance(userId) {
-      const res = await fetch(`${developerBaseUrl}/users/${userId}/balance`, {
+      const res = await fetch(`${developerBaseUrl}/users/${encodeURIComponent(userId)}/balance`, {
         headers: {
           Authorization: `Bearer ${apiKey}`
-        }
+        },
+        signal: AbortSignal.timeout(timeoutMs)
       });
       if (!res.ok) {
         if (res.status === 401) throw new Error("Invalid API key");
         throw new Error(`Failed to get balance: ${res.status}`);
       }
-      return res.json();
+      const data = await res.json();
+      return { balance: data.balance };
     },
     /**
      * Charge (deduct) credits from a user's balance.
@@ -297,12 +341,13 @@ function createServerClient(config) {
      * @throws Error with status 402 if insufficient balance, 400 if invalid amount
      */
     async charge(userId, opts) {
-      const res = await fetch(`${developerBaseUrl}/users/${userId}/charge`, {
+      const res = await fetch(`${developerBaseUrl}/users/${encodeURIComponent(userId)}/charge`, {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
           Authorization: `Bearer ${apiKey}`
         },
+        signal: AbortSignal.timeout(timeoutMs),
         body: JSON.stringify({
           amount: opts.amount,
           request_uuid: opts.requestUuid,
@@ -326,12 +371,13 @@ function createServerClient(config) {
      * @returns Object with the new balance after deposit
      */
     async deposit(userId, opts) {
-      const res = await fetch(`${developerBaseUrl}/users/${userId}/deposit`, {
+      const res = await fetch(`${developerBaseUrl}/users/${encodeURIComponent(userId)}/deposit`, {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
           Authorization: `Bearer ${apiKey}`
         },
+        signal: AbortSignal.timeout(timeoutMs),
         body: JSON.stringify({
           amount: opts.amount,
           request_uuid: opts.requestUuid,
@@ -359,11 +405,12 @@ function createServerClient(config) {
       if (opts?.offset !== void 0) params.set("offset", String(opts.offset));
       const qs = params.toString();
       const res = await fetch(
-        `${developerBaseUrl}/users/${userId}/balance/transactions${qs ? `?${qs}` : ""}`,
+        `${developerBaseUrl}/users/${encodeURIComponent(userId)}/balance/transactions${qs ? `?${qs}` : ""}`,
         {
           headers: {
             Authorization: `Bearer ${apiKey}`
-          }
+          },
+          signal: AbortSignal.timeout(timeoutMs)
         }
       );
       if (!res.ok) {
@@ -387,5 +434,7 @@ function createServerClient(config) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  createServerClient
+  createServerClient,
+  deriveJwtSecret,
+  parseCookies
 });

package/dist/server.mjs

@@ -1,3 +1,7 @@
+import {
+  DEFAULT_TIMEOUT_MS
+} from "./chunk-EY5LQCDG.mjs";
+
 // src/server.ts
 import { hkdf } from "crypto";
 import * as jose from "jose";
@@ -11,6 +15,30 @@ async function deriveJwtSecret(apiKey, domainId) {
     });
   });
 }
+var VALID_SUBSCRIPTION_STATUSES = /* @__PURE__ */ new Set([
+  "active",
+  "past_due",
+  "canceled",
+  "trialing",
+  "incomplete",
+  "incomplete_expired",
+  "unpaid",
+  "paused",
+  "none"
+]);
+function isValidClaims(payload) {
+  if (typeof payload.sub !== "string") return false;
+  if (typeof payload.domain_id !== "string") return false;
+  if (typeof payload.domain !== "string") return false;
+  if (typeof payload.active_org_id !== "string") return false;
+  if (typeof payload.org_role !== "string") return false;
+  if (!Array.isArray(payload.roles) || !payload.roles.every((r) => typeof r === "string")) return false;
+  const subscription = payload.subscription;
+  if (typeof subscription !== "object" || subscription === null || Array.isArray(subscription)) return false;
+  const status = subscription.status;
+  if (typeof status !== "string" || !VALID_SUBSCRIPTION_STATUSES.has(status)) return false;
+  return true;
+}
 function transformSubscription(sub) {
   return {
     status: sub.status,
@@ -37,6 +65,10 @@ function parseCookies(cookieHeader) {
 }
 function createServerClient(config) {
   const { domain, apiKey } = config;
+  if (config.timeout !== void 0 && (!Number.isFinite(config.timeout) || config.timeout <= 0)) {
+    throw new Error("timeout must be a positive finite number in milliseconds");
+  }
+  const timeoutMs = config.timeout ?? DEFAULT_TIMEOUT_MS;
   if (!apiKey) {
     throw new Error(
       "apiKey is required for createServerClient. Get one from the Reauth dashboard."
@@ -84,7 +116,11 @@ function createServerClient(config) {
             // 60 seconds clock skew tolerance
           }
         );
-        const claims = payload;
+        const payloadRecord = payload;
+        if (!isValidClaims(payloadRecord)) {
+          return { valid: false, user: null, claims: null, error: "Invalid token claims: missing required fields" };
+        }
+        const claims = payloadRecord;
         if (claims.domain !== domain) {
           return { valid: false, user: null, claims: null, error: "Domain mismatch" };
         }
@@ -93,6 +129,8 @@ function createServerClient(config) {
           user: {
             id: claims.sub,
             roles: claims.roles,
+            activeOrgId: claims.active_org_id,
+            orgRole: claims.org_role,
             subscription: transformSubscription(claims.subscription)
           },
           claims
@@ -207,10 +245,11 @@ function createServerClient(config) {
      * ```
      */
     async getUserById(userId) {
-      const res = await fetch(`${developerBaseUrl}/users/${userId}`, {
+      const res = await fetch(`${developerBaseUrl}/users/${encodeURIComponent(userId)}`, {
         headers: {
           Authorization: `Bearer ${apiKey}`
-        }
+        },
+        signal: AbortSignal.timeout(timeoutMs)
       });
       if (!res.ok) {
         if (res.status === 401) {
@@ -243,16 +282,18 @@ function createServerClient(config) {
      * @returns Object with the current balance
      */
     async getBalance(userId) {
-      const res = await fetch(`${developerBaseUrl}/users/${userId}/balance`, {
+      const res = await fetch(`${developerBaseUrl}/users/${encodeURIComponent(userId)}/balance`, {
         headers: {
           Authorization: `Bearer ${apiKey}`
-        }
+        },
+        signal: AbortSignal.timeout(timeoutMs)
       });
       if (!res.ok) {
         if (res.status === 401) throw new Error("Invalid API key");
         throw new Error(`Failed to get balance: ${res.status}`);
       }
-      return res.json();
+      const data = await res.json();
+      return { balance: data.balance };
     },
     /**
      * Charge (deduct) credits from a user's balance.
@@ -263,12 +304,13 @@ function createServerClient(config) {
      * @throws Error with status 402 if insufficient balance, 400 if invalid amount
      */
     async charge(userId, opts) {
-      const res = await fetch(`${developerBaseUrl}/users/${userId}/charge`, {
+      const res = await fetch(`${developerBaseUrl}/users/${encodeURIComponent(userId)}/charge`, {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
           Authorization: `Bearer ${apiKey}`
         },
+        signal: AbortSignal.timeout(timeoutMs),
         body: JSON.stringify({
           amount: opts.amount,
           request_uuid: opts.requestUuid,
@@ -292,12 +334,13 @@ function createServerClient(config) {
      * @returns Object with the new balance after deposit
      */
     async deposit(userId, opts) {
-      const res = await fetch(`${developerBaseUrl}/users/${userId}/deposit`, {
+      const res = await fetch(`${developerBaseUrl}/users/${encodeURIComponent(userId)}/deposit`, {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
           Authorization: `Bearer ${apiKey}`
         },
+        signal: AbortSignal.timeout(timeoutMs),
         body: JSON.stringify({
           amount: opts.amount,
           request_uuid: opts.requestUuid,
@@ -325,11 +368,12 @@ function createServerClient(config) {
       if (opts?.offset !== void 0) params.set("offset", String(opts.offset));
       const qs = params.toString();
       const res = await fetch(
-        `${developerBaseUrl}/users/${userId}/balance/transactions${qs ? `?${qs}` : ""}`,
+        `${developerBaseUrl}/users/${encodeURIComponent(userId)}/balance/transactions${qs ? `?${qs}` : ""}`,
         {
           headers: {
             Authorization: `Bearer ${apiKey}`
-          }
+          },
+          signal: AbortSignal.timeout(timeoutMs)
         }
       );
       if (!res.ok) {
@@ -352,5 +396,7 @@ function createServerClient(config) {
   };
 }
 export {
-  createServerClient
+  createServerClient,
+  deriveJwtSecret,
+  parseCookies
 };