@saasak/kit-oauth 0.0.1

package/dist/routes/callback.js

@@ -0,0 +1,80 @@
+import { error, redirect } from '@sveltejs/kit';
+import { exchangeCode, verifyIdToken } from '../oauth.js';
+import { createSession, setSessionCookie, setActiveTeamCookie } from '../session.js';
+export async function handleCallback(event, ctx) {
+    const code = event.url.searchParams.get('code');
+    const state = event.url.searchParams.get('state');
+    const errorParam = event.url.searchParams.get('error');
+    if (errorParam) {
+        error(400, `OAuth error: ${errorParam}`);
+    }
+    if (!code || !state) {
+        error(400, 'Missing code or state parameter');
+    }
+    const oauthStateCookie = event.cookies.get(ctx.cookieNames.oauthState);
+    if (!oauthStateCookie) {
+        error(400, 'Missing OAuth state cookie — session may have expired');
+    }
+    let oauthState;
+    try {
+        oauthState = JSON.parse(oauthStateCookie);
+    }
+    catch {
+        error(400, 'Invalid OAuth state cookie');
+    }
+    if (oauthState.state !== state) {
+        error(400, 'OAuth state mismatch — possible CSRF');
+    }
+    event.cookies.delete(ctx.cookieNames.oauthState, { path: '/' });
+    let tokens;
+    try {
+        tokens = await exchangeCode(ctx, code, oauthState.code_verifier);
+    }
+    catch (err) {
+        console.error(`[${ctx.config.displayName}] Token exchange failed:`, err);
+        error(502, 'Failed to exchange authorization code with IAM');
+    }
+    if (!tokens.id_token) {
+        error(502, 'IAM did not return an id_token');
+    }
+    let claims;
+    try {
+        claims = await verifyIdToken(ctx, tokens.id_token);
+    }
+    catch (err) {
+        console.error(`[${ctx.config.displayName}] ID token verification failed:`, err);
+        error(502, 'Failed to verify ID token from IAM');
+    }
+    const secret = new TextEncoder().encode(ctx.env.SESSION_SECRET);
+    let activeTeamId = null;
+    if (ctx.config.appModel === 'b2b' && claims.orgs.length > 0) {
+        const accessibleOrgs = claims.orgs.filter((o) => o.appAccess !== false);
+        const hinted = oauthState.org_hint
+            ? accessibleOrgs.find((o) => o.slug === oauthState.org_hint)
+            : undefined;
+        const targetOrg = hinted ?? accessibleOrgs[0];
+        activeTeamId = targetOrg?.teams?.find((t) => t.isDefault)?.id ?? null;
+    }
+    const sessionToken = await createSession(secret, {
+        sub: claims.sub,
+        email: claims.email,
+        name: claims.name,
+        emailVerified: claims.email_verified,
+        orgs: claims.orgs,
+        accessToken: tokens.access_token,
+        refreshToken: tokens.refresh_token,
+        permissions: claims.permissions,
+        impersonatedBy: claims.impersonatedBy
+    });
+    if (oauthState.mobile) {
+        const mobileScheme = ctx.config.mobileScheme ?? `com.saasak.${ctx.config.cookiePrefix}`;
+        const params = new URLSearchParams({ token: sessionToken });
+        if (activeTeamId)
+            params.set('activeTeamId', activeTeamId);
+        redirect(303, `${mobileScheme}://auth?${params}`);
+    }
+    setSessionCookie(event.cookies, ctx.cookieNames.session, sessionToken, ctx.secure);
+    setActiveTeamCookie(event.cookies, ctx.cookieNames.activeTeam, activeTeamId, ctx.secure);
+    redirect(303, oauthState.returnTo || '/');
+}
+//# sourceMappingURL=callback.js.map

package/dist/routes/callback.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback.js","sourceRoot":"","sources":["../../src/routes/callback.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAGhD,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAErF,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAAmB,EAAE,GAAiB;IAC1E,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAChD,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAClD,MAAM,UAAU,GAAG,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAEvD,IAAI,UAAU,EAAE,CAAC;QAChB,KAAK,CAAC,GAAG,EAAE,gBAAgB,UAAU,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACrB,KAAK,CAAC,GAAG,EAAE,iCAAiC,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,gBAAgB,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;IACvE,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACvB,KAAK,CAAC,GAAG,EAAE,uDAAuD,CAAC,CAAC;IACrE,CAAC;IAED,IAAI,UAMH,CAAC;IACF,IAAI,CAAC;QACJ,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACR,KAAK,CAAC,GAAG,EAAE,4BAA4B,CAAC,CAAC;IAC1C,CAAC;IAED,IAAI,UAAU,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;QAChC,KAAK,CAAC,GAAG,EAAE,sCAAsC,CAAC,CAAC;IACpD,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;IAEhE,IAAI,MAA2E,CAAC;IAChF,IAAI,CAAC;QACJ,MAAM,GAAG,MAAM,YAAY,CAAC,GAAG,EAAE,IAAI,EAAE,UAAU,CAAC,aAAa,CAAC,CAAC;IAClE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,0BAA0B,EAAE,GAAG,CAAC,CAAC;QACzE,KAAK,CAAC,GAAG,EAAE,gDAAgD,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACtB,KAAK,CAAC,GAAG,EAAE,gCAAgC,CAAC,CAAC;IAC9C,CAAC;IAED,IAAI,MAAiD,CAAC;IACtD,IAAI,CAAC;QACJ,MAAM,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACpD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,iCAAiC,EAAE,GAAG,CAAC,CAAC;QAChF,KAAK,CAAC,GAAG,EAAE,oCAAoC,CAAC,CAAC;IAClD,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAEhE,IAAI,YAAY,GAAkB,IAAI,CAAC;IACvC,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,KAAK,KAAK,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7D,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,KAAK,CAAC,CAAC;QACxE,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ;YACjC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,QAAQ,CAAC;YAC5D,CAAC,CAAC,SAAS,CAAC;QACb,MAAM,SAAS,GAAG,MAAM,IAAI,cAAc,CAAC,CAAC,CAAC,CAAC;QAC9C,YAAY,GAAG,SAAS,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,IAAI,CAAC;IACvE,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE;QAChD,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,aAAa,EAAE,MAAM,CAAC,cAAc;QACpC,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,WAAW,EAAE,MAAM,CAAC,YAAY;QAChC,YAAY,EAAE,MAAM,CAAC,aAAa;QAClC,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,cAAc,EAAE,MAAM,CAAC,cAAc;KACrC,CAAC,CAAC;IAEH,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC,YAAY,IAAI,cAAc,GAAG,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QACxF,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;QAC5D,IAAI,YAAY;YAAE,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;QAC3D,QAAQ,CAAC,GAAG,EAAE,GAAG,YAAY,WAAW,MAAM,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACnF,mBAAmB,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,UAAU,EAAE,YAAY,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAEzF,QAAQ,CAAC,GAAG,EAAE,UAAU,CAAC,QAAQ,IAAI,GAAG,CAAC,CAAC;AAC3C,CAAC"}

package/dist/routes/login.d.ts

@@ -0,0 +1,3 @@
+import type { RequestEvent } from '@sveltejs/kit';
+import type { OAuthContext } from '../types.js';
+export declare function handleLogin(event: RequestEvent, ctx: OAuthContext): Promise<Response>;

package/dist/routes/login.js

@@ -0,0 +1,26 @@
+import { redirect } from '@sveltejs/kit';
+import { generateState, generateCodeVerifier, computeS256Challenge, buildAuthorizeURL } from '../oauth.js';
+export async function handleLogin(event, ctx) {
+    const returnTo = event.url.searchParams.get('returnTo') ?? '/';
+    const orgHint = event.url.searchParams.get('org_hint') ?? undefined;
+    const mobile = event.url.searchParams.get('mobile') === '1';
+    const state = generateState();
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = await computeS256Challenge(codeVerifier);
+    event.cookies.set(ctx.cookieNames.oauthState, JSON.stringify({
+        state,
+        code_verifier: codeVerifier,
+        returnTo,
+        org_hint: orgHint,
+        mobile
+    }), {
+        path: '/',
+        httpOnly: true,
+        sameSite: 'lax',
+        secure: ctx.secure,
+        maxAge: 600 // 10 minutes
+    });
+    const authorizeUrl = buildAuthorizeURL(ctx, state, codeChallenge, orgHint);
+    redirect(303, authorizeUrl);
+}
+//# sourceMappingURL=login.js.map

package/dist/routes/login.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/routes/login.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAGzC,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAE3G,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,KAAmB,EAAE,GAAiB;IACvE,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC;IAC/D,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC;IACpE,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,GAAG,CAAC;IAE5D,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,MAAM,YAAY,GAAG,oBAAoB,EAAE,CAAC;IAC5C,MAAM,aAAa,GAAG,MAAM,oBAAoB,CAAC,YAAY,CAAC,CAAC;IAE/D,KAAK,CAAC,OAAO,CAAC,GAAG,CAChB,GAAG,CAAC,WAAW,CAAC,UAAU,EAC1B,IAAI,CAAC,SAAS,CAAC;QACd,KAAK;QACL,aAAa,EAAE,YAAY;QAC3B,QAAQ;QACR,QAAQ,EAAE,OAAO;QACjB,MAAM;KACN,CAAC,EACF;QACC,IAAI,EAAE,GAAG;QACT,QAAQ,EAAE,IAAI;QACd,QAAQ,EAAE,KAAK;QACf,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,MAAM,EAAE,GAAG,CAAC,aAAa;KACzB,CACD,CAAC;IAEF,MAAM,YAAY,GAAG,iBAAiB,CAAC,GAAG,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,CAAC,CAAC;IAC3E,QAAQ,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;AAC7B,CAAC"}

package/dist/routes/logout.d.ts

@@ -0,0 +1,3 @@
+import type { RequestEvent } from '@sveltejs/kit';
+import type { OAuthContext } from '../types.js';
+export declare function handleLogout(event: RequestEvent, ctx: OAuthContext): Promise<Response>;

package/dist/routes/logout.js

@@ -0,0 +1,41 @@
+import { json, redirect } from '@sveltejs/kit';
+import { isBearerRequest, clearSessionCookie, clearActiveTeamCookie } from '../session.js';
+export async function handleLogout(event, ctx) {
+    const isBearer = isBearerRequest(event.request);
+    // Invalidate IAM session by forwarding the cross-subdomain cookie
+    let iamSessionCookie;
+    let iamCookieName;
+    for (const name of ctx.iamSessionCookies) {
+        const val = event.cookies.get(name);
+        if (val) {
+            iamSessionCookie = val;
+            iamCookieName = name;
+            break;
+        }
+    }
+    if (iamSessionCookie && iamCookieName) {
+        try {
+            await fetch(`${ctx.env.IAM_URL}/api/auth/sign-out`, {
+                method: 'POST',
+                headers: {
+                    cookie: `${iamCookieName}=${iamSessionCookie}`
+                }
+            });
+        }
+        catch {
+            // IAM unreachable — continue with local cleanup
+        }
+    }
+    clearSessionCookie(event.cookies, ctx.cookieNames.session);
+    clearActiveTeamCookie(event.cookies, ctx.cookieNames.activeTeam);
+    // Clear cross-subdomain better-auth cookies
+    const cookieDomain = ctx.env.AUTH_COOKIE_DOMAIN ?? '.lvh.me';
+    for (const name of ctx.iamSessionCookies) {
+        event.cookies.delete(name, { path: '/', domain: cookieDomain });
+    }
+    if (isBearer) {
+        return json({ logged_out: true });
+    }
+    redirect(303, '/auth/login');
+}
+//# sourceMappingURL=logout.js.map

package/dist/routes/logout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../src/routes/logout.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAG/C,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAE3F,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,KAAmB,EAAE,GAAiB;IACxE,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAEhD,kEAAkE;IAClE,IAAI,gBAAoC,CAAC;IACzC,IAAI,aAAiC,CAAC;IACtC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,iBAAiB,EAAE,CAAC;QAC1C,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,GAAG,EAAE,CAAC;YACT,gBAAgB,GAAG,GAAG,CAAC;YACvB,aAAa,GAAG,IAAI,CAAC;YACrB,MAAM;QACP,CAAC;IACF,CAAC;IAED,IAAI,gBAAgB,IAAI,aAAa,EAAE,CAAC;QACvC,IAAI,CAAC;YACJ,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,OAAO,oBAAoB,EAAE;gBACnD,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACR,MAAM,EAAE,GAAG,aAAa,IAAI,gBAAgB,EAAE;iBAC9C;aACD,CAAC,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACR,gDAAgD;QACjD,CAAC;IACF,CAAC;IAED,kBAAkB,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IAC3D,qBAAqB,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;IAEjE,4CAA4C;IAC5C,MAAM,YAAY,GAAG,GAAG,CAAC,GAAG,CAAC,kBAAkB,IAAI,SAAS,CAAC;IAC7D,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,iBAAiB,EAAE,CAAC;QAC1C,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,IAAI,QAAQ,EAAE,CAAC;QACd,OAAO,IAAI,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;IACnC,CAAC;IAED,QAAQ,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;AAC9B,CAAC"}

package/dist/routes/refresh.d.ts

@@ -0,0 +1,3 @@
+import type { RequestEvent } from '@sveltejs/kit';
+import type { OAuthContext } from '../types.js';
+export declare function handleRefresh(event: RequestEvent, ctx: OAuthContext): Promise<Response>;

package/dist/routes/refresh.js

@@ -0,0 +1,44 @@
+import { json, error } from '@sveltejs/kit';
+import { refreshTokens, verifyIdToken, RefreshError } from '../oauth.js';
+import { readSession, getSessionToken, createSession, setSessionCookie, clearSessionCookie } from '../session.js';
+export async function handleRefresh(event, ctx) {
+    const secret = new TextEncoder().encode(ctx.env.SESSION_SECRET);
+    const token = getSessionToken(event.request, event.cookies, ctx.cookieNames.session);
+    const user = token ? await readSession(secret, token) : null;
+    if (!user) {
+        throw error(401, 'No session');
+    }
+    if (!user.refreshToken) {
+        throw error(400, 'No refresh token available');
+    }
+    try {
+        const tokens = await refreshTokens(ctx, user.refreshToken);
+        let updatedClaims = { ...user, accessToken: tokens.access_token };
+        if (tokens.refresh_token) {
+            updatedClaims.refreshToken = tokens.refresh_token;
+        }
+        if (tokens.id_token) {
+            const idClaims = await verifyIdToken(ctx, tokens.id_token);
+            updatedClaims = {
+                ...updatedClaims,
+                sub: idClaims.sub,
+                email: idClaims.email,
+                name: idClaims.name,
+                emailVerified: idClaims.email_verified,
+                orgs: idClaims.orgs,
+                permissions: idClaims.permissions
+            };
+        }
+        const newToken = await createSession(secret, updatedClaims);
+        setSessionCookie(event.cookies, ctx.cookieNames.session, newToken, ctx.secure);
+        return json({ refreshed: true, token: newToken });
+    }
+    catch (err) {
+        if (err instanceof RefreshError && err.status >= 400 && err.status < 500) {
+            clearSessionCookie(event.cookies, ctx.cookieNames.session);
+            throw error(401, 'Session revoked or expired');
+        }
+        throw err;
+    }
+}
+//# sourceMappingURL=refresh.js.map

package/dist/routes/refresh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../src/routes/refresh.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AAG5C,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACzE,OAAO,EACN,WAAW,EACX,eAAe,EACf,aAAa,EACb,gBAAgB,EAChB,kBAAkB,EAClB,MAAM,eAAe,CAAC;AAEvB,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAmB,EAAE,GAAiB;IACzE,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAChE,MAAM,KAAK,GAAG,eAAe,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IACrF,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,MAAM,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAE7D,IAAI,CAAC,IAAI,EAAE,CAAC;QACX,MAAM,KAAK,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAChC,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,KAAK,CAAC,GAAG,EAAE,4BAA4B,CAAC,CAAC;IAChD,CAAC;IAED,IAAI,CAAC;QACJ,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAE3D,IAAI,aAAa,GAAG,EAAE,GAAG,IAAI,EAAE,WAAW,EAAE,MAAM,CAAC,YAAY,EAAE,CAAC;QAClE,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YAC1B,aAAa,CAAC,YAAY,GAAG,MAAM,CAAC,aAAa,CAAC;QACnD,CAAC;QAED,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC3D,aAAa,GAAG;gBACf,GAAG,aAAa;gBAChB,GAAG,EAAE,QAAQ,CAAC,GAAG;gBACjB,KAAK,EAAE,QAAQ,CAAC,KAAK;gBACrB,IAAI,EAAE,QAAQ,CAAC,IAAI;gBACnB,aAAa,EAAE,QAAQ,CAAC,cAAc;gBACtC,IAAI,EAAE,QAAQ,CAAC,IAAI;gBACnB,WAAW,EAAE,QAAQ,CAAC,WAAW;aACjC,CAAC;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;QAC5D,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;QAE/E,OAAO,IAAI,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,IAAI,GAAG,YAAY,YAAY,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YAC1E,kBAAkB,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YAC3D,MAAM,KAAK,CAAC,GAAG,EAAE,4BAA4B,CAAC,CAAC;QAChD,CAAC;QACD,MAAM,GAAG,CAAC;IACX,CAAC;AACF,CAAC"}

package/dist/routes/set-team.d.ts

@@ -0,0 +1,3 @@
+import type { RequestEvent } from '@sveltejs/kit';
+import type { OAuthContext } from '../types.js';
+export declare function handleSetTeam(event: RequestEvent, ctx: OAuthContext): Promise<Response>;

package/dist/routes/set-team.js

@@ -0,0 +1,62 @@
+import { json, redirect } from '@sveltejs/kit';
+import { readSession, getSessionToken, isBearerRequest, setActiveTeamCookie } from '../session.js';
+export async function handleSetTeam(event, ctx) {
+    const isBearer = isBearerRequest(event.request);
+    const secret = new TextEncoder().encode(ctx.env.SESSION_SECRET);
+    let teamId;
+    if (isBearer) {
+        let body;
+        try {
+            body = await event.request.json();
+        }
+        catch {
+            return json({ error: 'invalid JSON body' }, { status: 400 });
+        }
+        teamId = body.teamId ?? '';
+    }
+    else {
+        const form = await event.request.formData();
+        teamId = form.get('teamId')?.toString() ?? '';
+    }
+    const token = getSessionToken(event.request, event.cookies, ctx.cookieNames.session);
+    if (!token) {
+        if (isBearer)
+            return json({ error: 'unauthorized' }, { status: 401 });
+        redirect(303, '/auth/login');
+    }
+    const session = await readSession(secret, token);
+    if (!session) {
+        if (isBearer)
+            return json({ error: 'unauthorized' }, { status: 401 });
+        redirect(303, '/auth/login');
+    }
+    const activeTeamId = teamId || null;
+    if (activeTeamId) {
+        const hasAccess = session.orgs.some((o) => o.appAccess !== false && o.teams?.some((t) => t.id === activeTeamId));
+        if (!hasAccess) {
+            if (isBearer)
+                return json({ error: 'not a member of this team' }, { status: 403 });
+            redirect(303, '/');
+        }
+    }
+    if (isBearer) {
+        return json({ ok: true, activeTeamId });
+    }
+    setActiveTeamCookie(event.cookies, ctx.cookieNames.activeTeam, activeTeamId, ctx.secure);
+    // Validate referer is same-origin to prevent open redirect
+    const referer = event.request.headers.get('referer');
+    let redirectTo = '/';
+    if (referer) {
+        try {
+            const refererUrl = new URL(referer);
+            if (refererUrl.origin === event.url.origin) {
+                redirectTo = refererUrl.pathname + refererUrl.search;
+            }
+        }
+        catch {
+            // Invalid referer URL — use default
+        }
+    }
+    redirect(303, redirectTo);
+}
+//# sourceMappingURL=set-team.js.map

package/dist/routes/set-team.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"set-team.js","sourceRoot":"","sources":["../../src/routes/set-team.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAG/C,OAAO,EACN,WAAW,EACX,eAAe,EACf,eAAe,EACf,mBAAmB,EACnB,MAAM,eAAe,CAAC;AAEvB,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAmB,EAAE,GAAiB;IACzE,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAEhE,IAAI,MAAc,CAAC;IACnB,IAAI,QAAQ,EAAE,CAAC;QACd,IAAI,IAA6B,CAAC;QAClC,IAAI,CAAC;YACJ,IAAI,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACR,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC9D,CAAC;QACD,MAAM,GAAI,IAAI,CAAC,MAAiB,IAAI,EAAE,CAAC;IACxC,CAAC;SAAM,CAAC;QACP,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QAC5C,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC/C,CAAC;IAED,MAAM,KAAK,GAAG,eAAe,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IACrF,IAAI,CAAC,KAAK,EAAE,CAAC;QACZ,IAAI,QAAQ;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACtE,QAAQ,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACjD,IAAI,CAAC,OAAO,EAAE,CAAC;QACd,IAAI,QAAQ;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACtE,QAAQ,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,IAAI,IAAI,CAAC;IAEpC,IAAI,YAAY,EAAE,CAAC;QAClB,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAClC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,KAAK,IAAI,CAAC,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAC3E,CAAC;QACF,IAAI,CAAC,SAAS,EAAE,CAAC;YAChB,IAAI,QAAQ;gBAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,2BAA2B,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YACnF,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACpB,CAAC;IACF,CAAC;IAED,IAAI,QAAQ,EAAE,CAAC;QACd,OAAO,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,mBAAmB,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,UAAU,EAAE,YAAY,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAEzF,2DAA2D;IAC3D,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACrD,IAAI,UAAU,GAAG,GAAG,CAAC;IACrB,IAAI,OAAO,EAAE,CAAC;QACb,IAAI,CAAC;YACJ,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;YACpC,IAAI,UAAU,CAAC,MAAM,KAAK,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;gBAC5C,UAAU,GAAG,UAAU,CAAC,QAAQ,GAAG,UAAU,CAAC,MAAM,CAAC;YACtD,CAAC;QACF,CAAC;QAAC,MAAM,CAAC;YACR,oCAAoC;QACrC,CAAC;IACF,CAAC;IAED,QAAQ,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;AAC3B,CAAC"}

package/dist/session.d.ts

@@ -0,0 +1,15 @@
+import type { Cookies } from '@sveltejs/kit';
+import type { SessionClaims } from './types.js';
+export declare const SESSION_MAX_AGE: number;
+export declare const SYNC_AGE: number;
+export declare function createSession(secret: Uint8Array, claims: SessionClaims, maxAge?: number): Promise<string>;
+export declare function isApiToken(token: string): boolean;
+export declare function readSession(secret: Uint8Array, token: string): Promise<SessionClaims | null>;
+export declare function setSessionCookie(cookies: Cookies, cookieName: string, token: string, secure: boolean): void;
+export declare function clearSessionCookie(cookies: Cookies, cookieName: string): void;
+export declare function getSessionCookie(cookies: Cookies, cookieName: string): string | undefined;
+export declare function getSessionToken(request: Request, cookies: Cookies, cookieName: string): string | undefined;
+export declare function isBearerRequest(request: Request): boolean;
+export declare function setActiveTeamCookie(cookies: Cookies, cookieName: string, teamId: string | null, secure: boolean): void;
+export declare function getActiveTeamId(request: Request, cookies: Cookies, cookieName: string): string | null;
+export declare function clearActiveTeamCookie(cookies: Cookies, cookieName: string): void;

package/dist/session.js

@@ -0,0 +1,107 @@
+import * as jose from 'jose';
+export const SESSION_MAX_AGE = 60 * 60 * 24 * 7; // 7 days
+export const SYNC_AGE = 5 * 60; // 5 minutes — revalidate against IAM
+export async function createSession(secret, claims, maxAge = SESSION_MAX_AGE) {
+    const payload = {
+        email: claims.email,
+        name: claims.name,
+        emailVerified: claims.emailVerified,
+        orgs: claims.orgs,
+        accessToken: claims.accessToken,
+        refreshToken: claims.refreshToken,
+        permissions: claims.permissions
+    };
+    if (claims.impersonatedBy) {
+        payload.impersonatedBy = claims.impersonatedBy;
+    }
+    if (claims.apiToken)
+        payload.apiToken = true;
+    if (claims.plan)
+        payload.plan = claims.plan;
+    if (claims.entitlements)
+        payload.entitlements = claims.entitlements;
+    if (claims.addons)
+        payload.addons = claims.addons;
+    return new jose.SignJWT(payload)
+        .setProtectedHeader({ alg: 'HS256' })
+        .setSubject(claims.sub)
+        .setIssuedAt()
+        .setExpirationTime(`${maxAge}s`)
+        .sign(secret);
+}
+export function isApiToken(token) {
+    return token.startsWith('sk_live_');
+}
+export async function readSession(secret, token) {
+    try {
+        const { payload } = await jose.jwtVerify(token, secret);
+        const p = payload;
+        return {
+            sub: payload.sub,
+            email: p.email,
+            name: p.name,
+            emailVerified: p.emailVerified ?? false,
+            orgs: (Array.isArray(p.orgs) ? p.orgs : []),
+            accessToken: p.accessToken,
+            refreshToken: p.refreshToken,
+            permissions: p.permissions,
+            impersonatedBy: p.impersonatedBy,
+            apiToken: p.apiToken || undefined,
+            plan: p.plan,
+            entitlements: p.entitlements,
+            addons: p.addons
+        };
+    }
+    catch {
+        return null;
+    }
+}
+export function setSessionCookie(cookies, cookieName, token, secure) {
+    cookies.set(cookieName, token, {
+        path: '/',
+        httpOnly: true,
+        sameSite: 'lax',
+        secure,
+        maxAge: SESSION_MAX_AGE
+    });
+}
+export function clearSessionCookie(cookies, cookieName) {
+    cookies.delete(cookieName, { path: '/' });
+}
+export function getSessionCookie(cookies, cookieName) {
+    return cookies.get(cookieName);
+}
+export function getSessionToken(request, cookies, cookieName) {
+    const auth = request.headers.get('authorization');
+    if (auth?.startsWith('Bearer ')) {
+        return auth.slice(7);
+    }
+    return getSessionCookie(cookies, cookieName);
+}
+export function isBearerRequest(request) {
+    return request.headers.get('authorization')?.startsWith('Bearer ') ?? false;
+}
+export function setActiveTeamCookie(cookies, cookieName, teamId, secure) {
+    if (teamId) {
+        cookies.set(cookieName, teamId, {
+            path: '/',
+            httpOnly: false,
+            sameSite: 'lax',
+            secure,
+            maxAge: SESSION_MAX_AGE
+        });
+    }
+    else {
+        cookies.delete(cookieName, { path: '/' });
+    }
+}
+export function getActiveTeamId(request, cookies, cookieName) {
+    const headerVal = request.headers.get('x-active-team');
+    if (headerVal)
+        return headerVal;
+    return cookies.get(cookieName) ?? null;
+}
+export function clearActiveTeamCookie(cookies, cookieName) {
+    cookies.delete(cookieName, { path: '/' });
+}
+//# sourceMappingURL=session.js.map

package/dist/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../src/session.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAI7B,MAAM,CAAC,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,SAAS;AAC1D,MAAM,CAAC,MAAM,QAAQ,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,qCAAqC;AAErE,MAAM,CAAC,KAAK,UAAU,aAAa,CAClC,MAAkB,EAClB,MAAqB,EACrB,SAAiB,eAAe;IAEhC,MAAM,OAAO,GAA4B;QACxC,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,WAAW,EAAE,MAAM,CAAC,WAAW;KAC/B,CAAC;IACF,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;QAC3B,OAAO,CAAC,cAAc,GAAG,MAAM,CAAC,cAAc,CAAC;IAChD,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ;QAAE,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAC7C,IAAI,MAAM,CAAC,IAAI;QAAE,OAAO,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;IAC5C,IAAI,MAAM,CAAC,YAAY;QAAE,OAAO,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;IACpE,IAAI,MAAM,CAAC,MAAM;QAAE,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IAClD,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC;SAC9B,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;SACpC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC;SACtB,WAAW,EAAE;SACb,iBAAiB,CAAC,GAAG,MAAM,GAAG,CAAC;SAC/B,IAAI,CAAC,MAAM,CAAC,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,KAAa;IACvC,OAAO,KAAK,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAChC,MAAkB,EAClB,KAAa;IAEb,IAAI,CAAC;QACJ,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,CAAC,GAAG,OAAkC,CAAC;QAC7C,OAAO;YACN,GAAG,EAAE,OAAO,CAAC,GAAI;YACjB,KAAK,EAAE,CAAC,CAAC,KAAe;YACxB,IAAI,EAAE,CAAC,CAAC,IAAc;YACtB,aAAa,EAAG,CAAC,CAAC,aAAyB,IAAI,KAAK;YACpD,IAAI,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAoB;YAC9D,WAAW,EAAE,CAAC,CAAC,WAAqB;YACpC,YAAY,EAAE,CAAC,CAAC,YAAkC;YAClD,WAAW,EAAE,CAAC,CAAC,WAAmE;YAClF,cAAc,EAAE,CAAC,CAAC,cAAoC;YACtD,QAAQ,EAAG,CAAC,CAAC,QAAoB,IAAI,SAAS;YAC9C,IAAI,EAAE,CAAC,CAAC,IAA6B;YACrC,YAAY,EAAE,CAAC,CAAC,YAA6C;YAC7D,MAAM,EAAE,CAAC,CAAC,MAA8B;SACxC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,IAAI,CAAC;IACb,CAAC;AACF,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC/B,OAAgB,EAChB,UAAkB,EAClB,KAAa,EACb,MAAe;IAEf,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,EAAE;QAC9B,IAAI,EAAE,GAAG;QACT,QAAQ,EAAE,IAAI;QACd,QAAQ,EAAE,KAAK;QACf,MAAM;QACN,MAAM,EAAE,eAAe;KACvB,CAAC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,OAAgB,EAAE,UAAkB;IACtE,OAAO,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,OAAgB,EAAE,UAAkB;IACpE,OAAO,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,eAAe,CAC9B,OAAgB,EAChB,OAAgB,EAChB,UAAkB;IAElB,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAClD,IAAI,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACtB,CAAC;IACD,OAAO,gBAAgB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,OAAgB;IAC/C,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC;AAC7E,CAAC;AAED,MAAM,UAAU,mBAAmB,CAClC,OAAgB,EAChB,UAAkB,EAClB,MAAqB,EACrB,MAAe;IAEf,IAAI,MAAM,EAAE,CAAC;QACZ,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE;YAC/B,IAAI,EAAE,GAAG;YACT,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,KAAK;YACf,MAAM;YACN,MAAM,EAAE,eAAe;SACvB,CAAC,CAAC;IACJ,CAAC;SAAM,CAAC;QACP,OAAO,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;IAC3C,CAAC;AACF,CAAC;AAED,MAAM,UAAU,eAAe,CAC9B,OAAgB,EAChB,OAAgB,EAChB,UAAkB;IAElB,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACvD,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC;IAChC,OAAO,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,OAAgB,EAAE,UAAkB;IACzE,OAAO,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;AAC3C,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,141 @@
+import type { Handle, ServerInit } from '@sveltejs/kit';
+export interface TeamMembership {
+    id: string;
+    name: string;
+    isDefault: boolean;
+}
+export interface PlanInfo {
+    key: string;
+    status: string;
+    trial: {
+        endsAt: string;
+    } | null;
+}
+export interface B2BEntitlements {
+    ssoEnabled: boolean;
+    maxMembers: number;
+    maxTeams: number;
+    features: Record<string, boolean>;
+}
+export interface OrgMembership {
+    id: string;
+    name: string;
+    slug: string;
+    role: 'owner' | 'admin' | 'member';
+    appAccess?: boolean;
+    teams: TeamMembership[];
+    plan?: PlanInfo;
+    entitlements?: B2BEntitlements;
+    featureFlags?: Record<string, boolean>;
+}
+export interface SessionClaims {
+    sub: string;
+    email: string;
+    name: string;
+    emailVerified: boolean;
+    orgs: OrgMembership[];
+    accessToken: string;
+    refreshToken?: string;
+    /** Per-team permissions for the requesting app: { [teamId]: { [resource]: action[] } } */
+    permissions?: Record<string, Record<string, string[]>>;
+    /** Present when the session was created via admin impersonation. Value is the admin's user ID. */
+    impersonatedBy?: string;
+    /** B2C: user-level plan info */
+    plan?: PlanInfo;
+    /** B2C: user-level entitlements (feature flags) */
+    entitlements?: {
+        features: Record<string, boolean>;
+    };
+    /** B2C: active addon keys */
+    addons?: string[];
+    /** True when this session was created via an M2M API token exchange */
+    apiToken?: boolean;
+}
+/** Helper type for consuming apps to augment their App.Locals */
+export interface OAuthLocals {
+    user: SessionClaims | null;
+    activeTeamId: string | null;
+}
+export type AppModel = 'b2b' | 'b2c';
+export interface ResolvedEnv {
+    IAM_URL: string;
+    SAASAK_APP_SEED: string;
+    SESSION_SECRET: string;
+    ORIGIN: string;
+    AUTH_COOKIE_DOMAIN?: string;
+}
+export interface OAuthHandlerConfig {
+    /** Package name used as OAuth clientId, e.g. '@saasak/app1' */
+    clientId: string;
+    /** Human-readable display name for IAM registration and logging */
+    displayName: string;
+    /** App model: 'b2b' (team-scoped) or 'b2c' (team-less) */
+    appModel: AppModel;
+    /** Cookie prefix, e.g. 'app1' → 'app1_session', 'app1_active_team', 'app1_oauth_state' */
+    cookiePrefix: string;
+    /**
+     * Lazy resolver for environment variables.
+     * Called once on first request (not at module load time) to respect
+     * SvelteKit's prohibition on accessing $env at module scope.
+     */
+    env: () => ResolvedEnv;
+    /** Custom URL scheme for mobile OAuth callback, e.g. 'com.saasak.app1' */
+    mobileScheme?: string;
+    /** IAM registration options (used by init) */
+    registration?: {
+        defaultAllow?: boolean;
+        skipConsent?: boolean;
+        /** App-specific permission schema: { resource: action[] } */
+        permissions?: Record<string, string[]>;
+        /** Feature flag declarations: { system: {...}, org: {...} } */
+        featureFlags?: {
+            system?: Record<string, {
+                description: string;
+                default: boolean;
+            }>;
+            org?: Record<string, {
+                description: string;
+                default: boolean;
+            }>;
+        };
+    };
+    /** Extra path prefixes exempt from auth (besides /auth and /api) */
+    publicPaths?: string[];
+    /**
+     * IAM cross-subdomain session cookie names to check for logout sync.
+     * Default: ['better-auth.session_token', '__Secure-better-auth.session_token']
+     */
+    iamSessionCookies?: string[];
+}
+export interface OAuthContext {
+    config: OAuthHandlerConfig;
+    env: ResolvedEnv;
+    clientSecret: string;
+    secure: boolean;
+    cookieNames: {
+        session: string;
+        activeTeam: string;
+        oauthState: string;
+    };
+    iamSessionCookies: string[];
+    jwksRef: {
+        current: ReturnType<typeof import('jose').createRemoteJWKSet> | null;
+    };
+}
+export interface OAuthHandler {
+    handle: Handle;
+    init: ServerInit;
+    /**
+     * Session reader for use with kit-auth-check's getUser callback.
+     * Reads JWT, handles cross-subdomain sync, and staleness refresh.
+     */
+    getUser: (event: import('@sveltejs/kit').RequestEvent) => Promise<{
+        user: SessionClaims | null;
+        refreshedToken?: string;
+    }>;
+    /**
+     * Force-refresh the session tokens. Useful when claims may be stale
+     * (e.g., org just created on IAM but not yet in the local JWT).
+     */
+    forceRefresh: (event: import('@sveltejs/kit').RequestEvent, currentUser: SessionClaims) => Promise<SessionClaims | null>;
+}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,41 @@
+{
+  "name": "@saasak/kit-oauth",
+  "private": false,
+  "version": "0.0.1",
+  "license": "MIT",
+  "author": "saasak <dev@saasak.studio>",
+  "description": "OAuth2 PKCE client handler for SvelteKit apps with IAM integration",
+  "keywords": [
+    "sveltekit",
+    "oauth",
+    "pkce"
+  ],
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    },
+    "./permissions": {
+      "types": "./dist/permissions.d.ts",
+      "default": "./dist/permissions.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "dependencies": {
+    "@casl/ability": "^6.8.0",
+    "jose": "^6.0.0"
+  },
+  "peerDependencies": {
+    "@sveltejs/kit": "^2.0.0"
+  },
+  "scripts": {
+    "build": "tsc",
+    "clean:build": "rimraf dist",
+    "clean:modules": "rimraf node_modules"
+  }
+}