@scalekit-sdk/node 2.0.0 → 2.1.0

package/src/scalekit.ts

@@ -11,7 +11,8 @@ import OrganizationClient from './organization';
 import PasswordlessClient from './passwordless';
 import UserClient from './user';
 import { IdpInitiatedLoginClaims, IdTokenClaim, User } from './types/auth';
-import { AuthenticationOptions, AuthenticationResponse, AuthorizationUrlOptions, GrantType, LogoutUrlOptions, RefreshTokenResponse } from './types/scalekit';
+import { AuthenticationOptions, AuthenticationResponse, AuthorizationUrlOptions, GrantType, LogoutUrlOptions, RefreshTokenResponse ,TokenValidationOptions } from './types/scalekit';
+import { WebhookVerificationError, ScalekitValidateTokenFailureException } from './errors/base-exception';
 
 const authorizeEndpoint = "oauth/authorize";
 const logoutEndpoint = "oidc/logout";
@@ -175,27 +176,31 @@ export default class ScalekitClient {
   * Get the idp initiated login claims
   * 
   * @param {string} idpInitiatedLoginToken The idp_initiated_login query param from the URL
+  * @param {TokenValidationOptions} options Optional validation options for issuer and audience
   * @returns {object} Returns the idp initiated login claims
   */
-  async getIdpInitiatedLoginClaims(idpInitiatedLoginToken: string): Promise<IdpInitiatedLoginClaims> {
-    return this.validateToken<IdpInitiatedLoginClaims>(idpInitiatedLoginToken);
+  async getIdpInitiatedLoginClaims(idpInitiatedLoginToken: string, options?: TokenValidationOptions): Promise<IdpInitiatedLoginClaims> {
+    return this.validateToken<IdpInitiatedLoginClaims>(idpInitiatedLoginToken, options);
   }
 
   /**
-   * Validates the access token.  
+   * Validates the access token and returns a boolean result.
    * 
    * @param {string} token The token to be validated.
+   * @param {TokenValidationOptions} options Optional validation options for issuer, audience, and scopes
    * @return {Promise<boolean>} Returns true if the token is valid, false otherwise.
    */
-  async validateAccessToken(token: string): Promise<boolean> {
+  async validateAccessToken(token: string, options?: TokenValidationOptions): Promise<boolean> {
     try {
-      await this.validateToken(token);
+      await this.validateToken(token, options);
       return true;
     } catch (_) {
       return false;
     }
   }
 
+
+
   /**
    * Returns the logout URL that can be used to log out the user.
    * @param {LogoutUrlOptions} options Logout URL options
@@ -222,7 +227,7 @@ export default class ScalekitClient {
   }
 
   /**
-   * Verifies the payload of the webhook
+   * Verify webhook payload
    * 
    * @param {string} secret The secret
    * @param {Record<string, string>} headers The headers
@@ -233,46 +238,106 @@ export default class ScalekitClient {
     const webhookId = headers['webhook-id'];
     const webhookTimestamp = headers['webhook-timestamp'];
     const webhookSignature = headers['webhook-signature'];
+    
     if (!webhookId || !webhookTimestamp || !webhookSignature) {
-      throw new Error("Missing required headers");
+      throw new WebhookVerificationError("Missing required headers");
+    }
+    
+    const secretParts = secret.split("_");
+    if (secretParts.length < 2) {
+      throw new WebhookVerificationError("Invalid secret");
     }
-    const timestamp = this.verifyTimestamp(webhookTimestamp);
-    const data = `${webhookId}.${Math.floor(timestamp.getTime() / 1000)}.${payload}`;
-    const secretBytes = Buffer.from(secret.split("_")[1], 'base64');
-    const computedSignature = this.computeSignature(secretBytes, data);
-    const receivedSignatures = webhookSignature.split(" ");
-    for (const versionedSignature of receivedSignatures) {
-      const [version, signature] = versionedSignature.split(",");
-      if (version !== WEBHOOK_SIGNATURE_VERSION) {
-        continue;
+    
+    try {
+      const timestamp = this.verifyTimestamp(webhookTimestamp);
+      const data = `${webhookId}.${Math.floor(timestamp.getTime() / 1000)}.${payload}`;
+      const secretBytes = Buffer.from(secretParts[1], 'base64');
+      const computedSignature = this.computeSignature(secretBytes, data);
+      const receivedSignatures = webhookSignature.split(" ");
+      
+      for (const versionedSignature of receivedSignatures) {
+        const [version, signature] = versionedSignature.split(",");
+        if (version !== WEBHOOK_SIGNATURE_VERSION) {
+          continue;
+        }
+        if (crypto.timingSafeEqual(Buffer.from(signature, 'base64'), Buffer.from(computedSignature, 'base64'))) {
+          return true;
+        }
       }
-      if (crypto.timingSafeEqual(Buffer.from(signature, 'base64'), Buffer.from(computedSignature, 'base64'))) {
-        return true;
+
+      throw new WebhookVerificationError("Invalid signature");
+    } catch (error) {
+      if (error instanceof WebhookVerificationError) {
+        throw error;
       }
+      throw new WebhookVerificationError("Invalid signature");
     }
-
-    throw new Error("Invalid Signature");
   }
 
   /**
-   * Validate token
+   * Validates a token and returns its payload if valid.
+   * Supports issuer, audience, and scope validation.
    * 
    * @param {string} token The token to be validated
-   * @return {Promise<T>} Returns the payload of the token
+   * @param {TokenValidationOptions} options Optional validation options for issuer, audience, and scopes
+   * @return {Promise<T>} Returns the token payload if valid
+   * @throws {ScalekitValidateTokenFailureException} If token is invalid or missing required scopes
    */
-  private async validateToken<T>(token: string): Promise<T> {
+  async validateToken<T>(token: string, options?: TokenValidationOptions): Promise<T> {
     await this.coreClient.getJwks();
     const jwks = jose.createLocalJWKSet({
       keys: this.coreClient.keys
     })
     try {
-      const { payload } = await jose.jwtVerify<T>(token, jwks);
+      const { payload } = await jose.jwtVerify<T>(token, jwks, {
+        ...(options?.issuer && { issuer: options.issuer }),
+        ...(options?.audience && { audience: options.audience })
+      });
+      
+      if (options?.requiredScopes && options.requiredScopes.length > 0) {
+        this.verifyScopes(token, options.requiredScopes);
+      }
+
       return payload;
-    } catch (_) {
-      throw new Error("Invalid token");
+    } catch (error) {
+      throw new ScalekitValidateTokenFailureException(error);
     }
   }
 
+  /**
+   * Verify that the token contains the required scopes
+   * 
+   * @param {string} token The token to verify
+   * @param {string[]} requiredScopes The scopes that must be present in the token
+   * @return {boolean} Returns true if all required scopes are present
+   * @throws {ScalekitValidateTokenFailureException} If required scopes are missing, with details about which scopes are missing
+   */
+  verifyScopes(token: string, requiredScopes: string[]): boolean {
+    const payload = jose.decodeJwt(token);
+    const scopes = this.extractScopesFromPayload(payload);
+    
+    const missingScopes = requiredScopes.filter(scope => !scopes.includes(scope));
+    
+    if (missingScopes.length > 0) {
+      throw new ScalekitValidateTokenFailureException(`Token missing required scopes: ${missingScopes.join(', ')}`);
+    }
+    
+    return true;
+  }
+
+  /**
+   * Extract scopes from token payload
+   * 
+   * @param {any} payload The token payload
+   * @return {string[]} Array of scopes found in the token
+   */
+  private extractScopesFromPayload(payload: Record<string, any>): string[] {
+    const scopes = payload.scopes;
+    return Array.isArray(scopes)
+      ? scopes.filter((scope) => !!scope.trim?.())
+      : [];
+  }
+
   /**
    * Verify the timestamp
    * 
@@ -283,13 +348,13 @@ export default class ScalekitClient {
     const now = Math.floor(Date.now() / 1000);
     const timestamp = parseInt(timestampStr, 10);
     if (isNaN(timestamp)) {
-      throw new Error("Invalid timestamp");
+      throw new WebhookVerificationError("Invalid Signature Headers");
     }
     if (now - timestamp > WEBHOOK_TOLERANCE_IN_SECONDS) {
-      throw new Error("Message timestamp too old");
+      throw new WebhookVerificationError("Message timestamp too old");
     }
     if (timestamp > now + WEBHOOK_TOLERANCE_IN_SECONDS) {
-      throw new Error("Message timestamp too new");
+      throw new WebhookVerificationError("Message timestamp too new");
     }
 
     return new Date(timestamp * 1000);

package/src/types/scalekit.ts

@@ -24,6 +24,12 @@ export type AuthenticationOptions = {
   codeVerifier?: string;
 }
 
+export type TokenValidationOptions = {
+  issuer?: string;
+  audience?: string[];
+  requiredScopes?: string[];
+}
+
 export type AuthenticationResponse = {
   user: User;
   idToken: string;

package/src/types/user.ts

@@ -7,7 +7,7 @@ export interface CreateUserRequest {
     lastName?: string;
   };
   metadata?: Record<string, string>;
-  sendActivationEmail?: boolean;
+  sendInvitationEmail?: boolean;
 }
 
 export interface UpdateUserRequest {

package/src/user.ts

@@ -25,7 +25,9 @@ import {
   ListOrganizationUsersRequest,
   ListOrganizationUsersResponse,
   CreateMembership,
-  UpdateMembership
+  UpdateMembership,
+  ResendInviteRequest,
+  ResendInviteResponse
 } from './pkg/grpc/scalekit/v1/users/users_pb';
 import { CreateUserRequest, UpdateUserRequest as UpdateUserRequestType } from './types/user';
 
@@ -67,8 +69,8 @@ export default class UserClient {
       user
     };
 
-    if (options.sendActivationEmail !== undefined) {
-      request.sendActivationEmail = options.sendActivationEmail;
+    if (options.sendInvitationEmail !== undefined) {
+      request.sendInvitationEmail = options.sendInvitationEmail;
     }
 
     const response = await this.coreClient.connectExec(
@@ -171,7 +173,7 @@ export default class UserClient {
    * @param {object} options The membership options
    * @param {string[]} options.roles The roles to assign
    * @param {Record<string, string>} options.metadata Optional metadata
-   * @param {boolean} options.sendActivationEmail Whether to send activation email
+   * @param {boolean} options.sendInvitationEmail Whether to send invitation email
    * @returns {Promise<CreateMembershipResponse>} The response with updated user
    */
   async createMembership(
@@ -180,7 +182,7 @@ export default class UserClient {
     options: {
       roles?: string[],
       metadata?: Record<string, string>,
-      sendActivationEmail?: boolean
+      sendInvitationEmail?: boolean
     } = {}
   ): Promise<CreateMembershipResponse> {
     const membership = new CreateMembership({
@@ -197,8 +199,8 @@ export default class UserClient {
       membership
     };
 
-    if (options.sendActivationEmail !== undefined) {
-      request.sendActivationEmail = options.sendActivationEmail;
+    if (options.sendInvitationEmail !== undefined) {
+      request.sendInvitationEmail = options.sendInvitationEmail;
     }
 
     return this.coreClient.connectExec(
@@ -288,4 +290,29 @@ export default class UserClient {
       }
     );
   }
+
+  /**
+   * Resend an invitation to a user
+   * @param {string} organizationId The organization id
+   * @param {string} userId The user id
+   * @returns {Promise<ResendInviteResponse>} The response with the invite
+   */
+  async resendInvite(organizationId: string, userId: string): Promise<ResendInviteResponse> {
+    if (!organizationId) {
+      throw new Error('organizationId is required');
+    }
+    if (!userId) {
+      throw new Error('userId is required');
+    }
+
+    const request = new ResendInviteRequest({
+      organizationId,
+      id: userId
+    });
+
+    return this.coreClient.connectExec(
+      this.client.resendInvite,
+      request
+    );
+  }
 }

package/tests/README.md

@@ -0,0 +1,25 @@
+# Scalekit Node SDK Tests
+
+This directory contains the test suite for the Scalekit Node SDK.
+
+## Setup
+
+1. Create a `.env` file in the root directory with the following environment variables:
+
+```env
+# Required for client initialization
+SCALEKIT_ENVIRONMENT_URL= "Your Scalekit environment URL."
+SCALEKIT_CLIENT_ID= " Your Scalekit environment client id "
+SCALEKIT_CLIENT_SECRET= " Your Scalekit environment client secret "
+```
+
+2. Install dependencies:
+```bash
+npm install
+```
+
+## Running Tests
+
+- Run all tests: `npm test`
+- Run tests in watch mode: `npm run test:watch`
+

package/tests/connection.test.ts

@@ -0,0 +1,42 @@
+import ScalekitClient from '../src/scalekit';
+import { describe, it, expect, beforeEach, afterEach } from '@jest/globals';
+import { TestOrganizationManager } from './utils/test-data';
+
+describe('Connections', () => {
+  let client: ScalekitClient;
+  let testOrg: string;
+
+  beforeEach(async () => {
+    // Use global client
+    client = global.client;
+    
+    // Create test organization for each test
+    testOrg = await TestOrganizationManager.createTestOrganization(client);
+  });
+
+  afterEach(async () => {
+    // Clean up test organization
+    await TestOrganizationManager.cleanupTestOrganization(client, testOrg);
+  });
+
+  describe('listConnections', () => {
+    it('should list connections by organization', async () => {
+      const connections = await client.connection.listConnections(testOrg);
+
+      expect(connections).toBeDefined();
+      expect(connections.connections).toBeDefined();
+      expect(Array.isArray(connections.connections)).toBe(true);
+    });
+  });
+
+  describe('listConnectionsByDomain', () => {
+    it('should list connections by domain', async () => {
+      const domain = 'example.com';
+      const connections = await client.connection.listConnectionsByDomain(domain);
+
+      expect(connections).toBeDefined();
+      expect(connections.connections).toBeDefined();
+      expect(Array.isArray(connections.connections)).toBe(true);
+    });
+  });
+}); 

package/tests/directory.test.ts

@@ -0,0 +1,46 @@
+import ScalekitClient from '../src/scalekit';
+import { describe, it, expect, beforeEach, afterEach } from '@jest/globals';
+import { TestOrganizationManager } from './utils/test-data';
+
+describe('Directories', () => {
+  let client: ScalekitClient;
+  let testOrg: string;
+
+  beforeEach(async () => {
+    // Use global client
+    client = global.client;
+    
+    // Create test organization for each test
+    testOrg = await TestOrganizationManager.createTestOrganization(client);
+  });
+
+  afterEach(async () => {
+    // Clean up test organization
+    await TestOrganizationManager.cleanupTestOrganization(client, testOrg);
+  });
+
+  describe('listDirectories', () => {
+    it('should list directories', async () => {
+      const directories = await client.directory.listDirectories(testOrg);
+
+      expect(directories).toBeDefined();
+      expect(directories.directories).toBeDefined();
+      expect(Array.isArray(directories.directories)).toBe(true);
+    });
+  });
+
+  describe('getPrimaryDirectoryByOrganizationId', () => {
+    it('should get primary directory by organization id', async () => {
+      try {
+        const primaryDirectory = await client.directory.getPrimaryDirectoryByOrganizationId(testOrg);
+        
+        expect(primaryDirectory).toBeDefined();
+        expect(primaryDirectory.id).toBeDefined();
+        expect(primaryDirectory.organizationId).toBe(testOrg);
+      } catch (error) {
+        // Expected when no directories exist
+        expect(error).toBeDefined();
+      }
+    });
+  });
+}); 

package/tests/organization.test.ts

@@ -0,0 +1,65 @@
+import ScalekitClient from '../src/scalekit';
+import { describe, it, expect, beforeEach, afterEach } from '@jest/globals';
+import { TestDataGenerator, TestOrganizationManager } from './utils/test-data';
+
+describe('Organizations', () => {
+  let client: ScalekitClient;
+  let testOrg: string;
+
+  beforeEach(async () => {
+    // Use global client
+    client = global.client;
+    
+    // Create test organization for each test
+    testOrg = await TestOrganizationManager.createTestOrganization(client);
+  });
+
+  afterEach(async () => {
+    // Clean up test organization
+    await TestOrganizationManager.cleanupTestOrganization(client, testOrg);
+  });
+
+  describe('listOrganization', () => {
+    it('should list organizations', async () => {
+      const organizations = await client.organization.listOrganization(TestDataGenerator.generatePaginationParams());
+
+      expect(organizations).toBeDefined();
+      expect(organizations.organizations).toBeDefined();
+      expect(Array.isArray(organizations.organizations)).toBe(true);
+      expect(organizations.organizations.length).toBeGreaterThan(0);
+
+      // Verify basic organization attributes
+      const firstOrg = organizations.organizations[0];
+      expect(firstOrg.id).toBeDefined();
+      expect(firstOrg.displayName).toBeDefined();
+    });
+
+    it('should handle pagination', async () => {
+      const firstPage = await client.organization.listOrganization(TestDataGenerator.generatePaginationParams(5));
+
+      expect(firstPage).toBeDefined();
+      expect(firstPage.organizations.length).toBeLessThanOrEqual(5);
+
+      if (firstPage.nextPageToken) {
+        const secondPage = await client.organization.listOrganization({
+          pageSize: 5,
+          pageToken: firstPage.nextPageToken
+        });
+
+        expect(secondPage).toBeDefined();
+        expect(secondPage.organizations).toBeDefined();
+      }
+    });
+  });
+
+  describe('getOrganization', () => {
+    it('should get organization by ID', async () => {
+      const organization = await client.organization.getOrganization(testOrg);
+      
+      expect(organization).toBeDefined();
+      expect(organization.organization).toBeDefined();
+      expect(organization.organization?.id).toBe(testOrg);
+      expect(organization.organization?.displayName).toBeDefined();
+    });
+  });
+}); 

package/tests/passwordless.test.ts

@@ -0,0 +1,108 @@
+import ScalekitClient from '../src/scalekit';
+import { TemplateType } from '../src/pkg/grpc/scalekit/v1/auth/passwordless_pb';
+import { describe, it, expect, beforeEach } from '@jest/globals';
+import { TestDataGenerator } from './utils/test-data';
+
+describe('Passwordless', () => {
+  let client: ScalekitClient;
+
+  beforeEach(() => {
+    // Use global client
+    client = global.client;
+  });
+
+  describe('sendPasswordlessEmail', () => {
+    it('should send passwordless email with basic parameters', async () => {
+      const email = TestDataGenerator.generateUniqueEmail();
+      
+      const response = await client.passwordless.sendPasswordlessEmail(email, TestDataGenerator.generatePasswordlessEmailData());
+
+      expect(response).toBeDefined();
+      expect(response.authRequestId).toBeDefined();
+      expect(response.expiresAt).toBeDefined();
+      expect(response.expiresIn).toBe(3600);
+      expect(response.passwordlessType).toBeDefined();
+    });
+
+    it('should send passwordless email with template variables', async () => {
+      const email = TestDataGenerator.generateUniqueEmail();
+      
+      const response = await client.passwordless.sendPasswordlessEmail(email, TestDataGenerator.generatePasswordlessEmailWithTemplateData());
+
+      expect(response).toBeDefined();
+      expect(response.authRequestId).toBeDefined();
+    });
+
+    it('should throw error for invalid email', async () => {
+      await expect(
+        client.passwordless.sendPasswordlessEmail('', {
+          template: TemplateType.SIGNIN
+        })
+      ).rejects.toThrow('Email must be a valid string');
+    });
+
+    it('should throw error for invalid template type', async () => {
+      const email = TestDataGenerator.generateUniqueEmail();
+      
+      await expect(
+        client.passwordless.sendPasswordlessEmail(email, {
+          template: 'INVALID_TEMPLATE' as any
+        })
+      ).rejects.toThrow('Invalid template type');
+    });
+  });
+
+  describe('verifyPasswordlessEmail', () => {
+    it('should throw error when neither code nor linkToken is provided', async () => {
+      await expect(
+        client.passwordless.verifyPasswordlessEmail({})
+      ).rejects.toThrow('Either code or linkToken must be provided');
+    });
+
+    it('should verify with code', async () => {
+      // Mock code for testing - expected to fail
+      const credential = TestDataGenerator.generateCredentialData('code');
+      
+      try {
+        const response = await client.passwordless.verifyPasswordlessEmail(credential);
+        expect(response).toBeDefined();
+      } catch (error) {
+        // Expected failure with mock code
+        expect(error).toBeDefined();
+      }
+    });
+
+    it('should verify with linkToken', async () => {
+      // Mock linkToken for testing - expected to fail
+      const credential = TestDataGenerator.generateCredentialData('linkToken');
+      
+      try {
+        const response = await client.passwordless.verifyPasswordlessEmail(credential);
+        expect(response).toBeDefined();
+      } catch (error) {
+        // Expected failure with mock linkToken
+        expect(error).toBeDefined();
+      }
+    });
+  });
+
+  describe('resendPasswordlessEmail', () => {
+    it('should resend passwordless email', async () => {
+      // Send initial passwordless email
+      const email = TestDataGenerator.generateUniqueEmail();
+      
+      const sendResponse = await client.passwordless.sendPasswordlessEmail(email, TestDataGenerator.generatePasswordlessEmailData());
+
+      // Resend the email
+      const resendResponse = await client.passwordless.resendPasswordlessEmail(
+        sendResponse.authRequestId
+      );
+
+      expect(resendResponse).toBeDefined();
+      expect(resendResponse.authRequestId).toBeDefined();
+      expect(resendResponse.expiresAt).toBeDefined();
+      expect(resendResponse.expiresIn).toBeDefined();
+      expect(resendResponse.passwordlessType).toBeDefined();
+    });
+  });
+});