@reauth-dev/sdk 0.1.0

package/dist/server.js

@@ -0,0 +1,391 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/server.ts
+var server_exports = {};
+__export(server_exports, {
+  createServerClient: () => createServerClient
+});
+module.exports = __toCommonJS(server_exports);
+var import_crypto = require("crypto");
+var jose = __toESM(require("jose"));
+async function deriveJwtSecret(apiKey, domainId) {
+  const salt = Buffer.from(domainId.replace(/-/g, ""), "hex");
+  const info = Buffer.from("reauth-jwt-v1");
+  return new Promise((resolve, reject) => {
+    (0, import_crypto.hkdf)("sha256", apiKey, salt, info, 32, (err, derivedKey) => {
+      if (err) reject(err);
+      else resolve(Buffer.from(derivedKey).toString("hex"));
+    });
+  });
+}
+function transformSubscription(sub) {
+  return {
+    status: sub.status,
+    planCode: sub.plan_code,
+    planName: sub.plan_name,
+    currentPeriodEnd: sub.current_period_end,
+    cancelAtPeriodEnd: sub.cancel_at_period_end,
+    trialEndsAt: sub.trial_ends_at
+  };
+}
+function parseCookies(cookieHeader) {
+  const cookies = {};
+  for (const cookie of cookieHeader.split(";")) {
+    const [key, ...valueParts] = cookie.trim().split("=");
+    if (key) {
+      try {
+        cookies[key] = decodeURIComponent(valueParts.join("="));
+      } catch {
+        cookies[key] = valueParts.join("=");
+      }
+    }
+  }
+  return cookies;
+}
+function createServerClient(config) {
+  const { domain, apiKey } = config;
+  if (!apiKey) {
+    throw new Error(
+      "apiKey is required for createServerClient. Get one from the Reauth dashboard."
+    );
+  }
+  const developerBaseUrl = `https://reauth.${domain}/api/developer`;
+  return {
+    /**
+     * Verify a JWT token locally using HKDF-derived secret.
+     * No network call required - fast and reliable.
+     *
+     * The domain_id is extracted from the token claims automatically.
+     *
+     * @param token - The JWT token to verify
+     * @returns AuthResult with user info from claims
+     *
+     * @example
+     * ```typescript
+     * const result = await reauth.verifyToken(token);
+     * if (result.valid && result.user) {
+     *   console.log('User ID:', result.user.id);
+     *   console.log('Roles:', result.user.roles);
+     *   console.log('Subscription:', result.user.subscription);
+     * }
+     * ```
+     */
+    async verifyToken(token) {
+      try {
+        const unverified = jose.decodeJwt(token);
+        const domainId = unverified.domain_id;
+        const unverifiedDomain = unverified.domain;
+        if (!domainId) {
+          return { valid: false, user: null, claims: null, error: "Missing domain_id in token" };
+        }
+        if (unverifiedDomain !== domain) {
+          return { valid: false, user: null, claims: null, error: "Domain mismatch" };
+        }
+        const secret = await deriveJwtSecret(apiKey, domainId);
+        const { payload } = await jose.jwtVerify(
+          token,
+          new TextEncoder().encode(secret),
+          {
+            algorithms: ["HS256"],
+            clockTolerance: 60
+            // 60 seconds clock skew tolerance
+          }
+        );
+        const claims = payload;
+        if (claims.domain !== domain) {
+          return { valid: false, user: null, claims: null, error: "Domain mismatch" };
+        }
+        return {
+          valid: true,
+          user: {
+            id: claims.sub,
+            roles: claims.roles,
+            subscription: transformSubscription(claims.subscription)
+          },
+          claims
+        };
+      } catch (err) {
+        const error = err instanceof Error ? err.message : "Unknown error";
+        return { valid: false, user: null, claims: null, error };
+      }
+    },
+    /**
+     * Extract a token from a request object.
+     * Tries Authorization: Bearer header first, then falls back to cookies.
+     *
+     * @param request - Object with headers (authorization and/or cookie)
+     * @returns The token string or null if not found
+     *
+     * @example
+     * ```typescript
+     * const token = reauth.extractToken({
+     *   headers: {
+     *     authorization: req.headers.authorization,
+     *     cookie: req.headers.cookie,
+     *   },
+     * });
+     * ```
+     */
+    extractToken(request) {
+      const authHeader = request.headers?.authorization;
+      if (authHeader?.startsWith("Bearer ")) {
+        return authHeader.slice(7);
+      }
+      const cookieHeader = request.headers?.cookie;
+      if (cookieHeader) {
+        const cookies = parseCookies(cookieHeader);
+        if (cookies["end_user_access_token"]) {
+          return cookies["end_user_access_token"];
+        }
+      }
+      return null;
+    },
+    /**
+     * Authenticate a request by extracting and verifying the token.
+     * This is a convenience method combining extractToken and verifyToken.
+     *
+     * @param request - Object with headers (authorization and/or cookie)
+     * @returns AuthResult with user info from claims
+     *
+     * @example
+     * ```typescript
+     * // Express/Node.js
+     * async function authMiddleware(req, res, next) {
+     *   const result = await reauth.authenticate({
+     *     headers: {
+     *       authorization: req.headers.authorization,
+     *       cookie: req.headers.cookie,
+     *     },
+     *   });
+     *
+     *   if (!result.valid || !result.user) {
+     *     res.status(401).json({ error: result.error || 'Unauthorized' });
+     *     return;
+     *   }
+     *
+     *   req.user = result.user;
+     *   next();
+     * }
+     *
+     * // Next.js App Router
+     * export async function GET(request: NextRequest) {
+     *   const result = await reauth.authenticate({
+     *     headers: {
+     *       authorization: request.headers.get('authorization') ?? undefined,
+     *       cookie: request.headers.get('cookie') ?? undefined,
+     *     },
+     *   });
+     *
+     *   if (!result.valid) {
+     *     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+     *   }
+     *
+     *   return NextResponse.json({ user: result.user });
+     * }
+     * ```
+     */
+    async authenticate(request) {
+      const token = this.extractToken(request);
+      if (!token) {
+        return { valid: false, user: null, claims: null, error: "No token provided" };
+      }
+      return this.verifyToken(token);
+    },
+    /**
+     * Get user details by ID from the backend.
+     * Use this when you need full user info like email, frozen status, etc.
+     * that isn't available in the JWT claims.
+     *
+     * @param userId - The user ID to fetch
+     * @returns UserDetails or null if not found
+     *
+     * @example
+     * ```typescript
+     * // After verifying token, fetch full user details if needed
+     * const result = await reauth.authenticate(request);
+     * if (result.valid && result.user) {
+     *   // If you need email or other details not in JWT
+     *   const details = await reauth.getUserById(result.user.id);
+     *   if (details) {
+     *     console.log('Email:', details.email);
+     *     console.log('Frozen:', details.isFrozen);
+     *   }
+     * }
+     * ```
+     */
+    async getUserById(userId) {
+      const res = await fetch(`${developerBaseUrl}/users/${userId}`, {
+        headers: {
+          Authorization: `Bearer ${apiKey}`
+        }
+      });
+      if (!res.ok) {
+        if (res.status === 401) {
+          throw new Error("Invalid API key");
+        }
+        if (res.status === 404) {
+          return null;
+        }
+        throw new Error(`Failed to get user: ${res.status}`);
+      }
+      const data = await res.json();
+      return {
+        id: data.id,
+        email: data.email,
+        roles: data.roles,
+        emailVerifiedAt: data.email_verified_at,
+        lastLoginAt: data.last_login_at,
+        isFrozen: data.is_frozen,
+        isWhitelisted: data.is_whitelisted,
+        createdAt: data.created_at
+      };
+    },
+    // ========================================================================
+    // Balance Methods
+    // ========================================================================
+    /**
+     * Get a user's current balance.
+     *
+     * @param userId - The user ID to check
+     * @returns Object with the current balance
+     */
+    async getBalance(userId) {
+      const res = await fetch(`${developerBaseUrl}/users/${userId}/balance`, {
+        headers: {
+          Authorization: `Bearer ${apiKey}`
+        }
+      });
+      if (!res.ok) {
+        if (res.status === 401) throw new Error("Invalid API key");
+        throw new Error(`Failed to get balance: ${res.status}`);
+      }
+      return res.json();
+    },
+    /**
+     * Charge (deduct) credits from a user's balance.
+     *
+     * @param userId - The user ID to charge
+     * @param opts - Charge options (amount, requestUuid for idempotency, optional note)
+     * @returns Object with the new balance after charge
+     * @throws Error with status 402 if insufficient balance, 400 if invalid amount
+     */
+    async charge(userId, opts) {
+      const res = await fetch(`${developerBaseUrl}/users/${userId}/charge`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${apiKey}`
+        },
+        body: JSON.stringify({
+          amount: opts.amount,
+          request_uuid: opts.requestUuid,
+          note: opts.note
+        })
+      });
+      if (!res.ok) {
+        if (res.status === 401) throw new Error("Invalid API key");
+        if (res.status === 402) throw new Error("Insufficient balance");
+        if (res.status === 400) throw new Error("Invalid amount");
+        throw new Error(`Failed to charge balance: ${res.status}`);
+      }
+      const data = await res.json();
+      return { newBalance: data.new_balance };
+    },
+    /**
+     * Deposit (add) credits to a user's balance.
+     *
+     * @param userId - The user ID to deposit to
+     * @param opts - Deposit options (amount, requestUuid for idempotency, optional note)
+     * @returns Object with the new balance after deposit
+     */
+    async deposit(userId, opts) {
+      const res = await fetch(`${developerBaseUrl}/users/${userId}/deposit`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${apiKey}`
+        },
+        body: JSON.stringify({
+          amount: opts.amount,
+          request_uuid: opts.requestUuid,
+          note: opts.note
+        })
+      });
+      if (!res.ok) {
+        if (res.status === 401) throw new Error("Invalid API key");
+        if (res.status === 400) throw new Error("Invalid amount");
+        throw new Error(`Failed to deposit balance: ${res.status}`);
+      }
+      const data = await res.json();
+      return { newBalance: data.new_balance };
+    },
+    /**
+     * Get a user's balance transaction history.
+     *
+     * @param userId - The user ID to get transactions for
+     * @param opts - Optional pagination (limit, offset)
+     * @returns Object with array of transactions (newest first)
+     */
+    async getTransactions(userId, opts) {
+      const params = new URLSearchParams();
+      if (opts?.limit !== void 0) params.set("limit", String(opts.limit));
+      if (opts?.offset !== void 0) params.set("offset", String(opts.offset));
+      const qs = params.toString();
+      const res = await fetch(
+        `${developerBaseUrl}/users/${userId}/balance/transactions${qs ? `?${qs}` : ""}`,
+        {
+          headers: {
+            Authorization: `Bearer ${apiKey}`
+          }
+        }
+      );
+      if (!res.ok) {
+        if (res.status === 401) throw new Error("Invalid API key");
+        throw new Error(`Failed to get transactions: ${res.status}`);
+      }
+      const data = await res.json();
+      return {
+        transactions: data.transactions.map(
+          (t) => ({
+            id: t.id,
+            amountDelta: t.amount_delta,
+            reason: t.reason,
+            balanceAfter: t.balance_after,
+            createdAt: t.created_at
+          })
+        )
+      };
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createServerClient
+});