@sentroy-co/client-sdk 2.13.7 → 2.13.9

package/src/auth/http.ts

@@ -0,0 +1,101 @@
+import { SentroyAuthError } from "./types"
+
+/**
+ * Auth-as-a-Service shared HTTP layer. Project's signup/login/refresh
+ * endpoints'iyle aynı format (JSON request + JSON response, 401/403/4xx
+ * tek-tip `{error, error_description}` shape).
+ *
+ * `apiKey` opsiyonel — browser SDK end-user akışında apiKey-less
+ * (server-only güvenlik), admin SDK her zaman set'li.
+ */
+
+const DEFAULT_AUTH_BASE_URL = "https://auth.sentroy.com"
+
+export interface AuthHttpOptions {
+  authBaseUrl?: string
+  projectSlug: string
+  apiKey?: string
+  /** Hata-fırlatma yerine raw response döndür — caller fine-grained handling. */
+  rawErrors?: boolean
+}
+
+export class AuthHttp {
+  readonly baseUrl: string
+  readonly projectSlug: string
+  readonly apiKey?: string
+
+  constructor(opts: AuthHttpOptions) {
+    this.baseUrl = (opts.authBaseUrl || DEFAULT_AUTH_BASE_URL).replace(
+      /\/+$/,
+      "",
+    )
+    this.projectSlug = opts.projectSlug
+    this.apiKey = opts.apiKey
+  }
+
+  url(path: string): string {
+    const p = path.startsWith("/") ? path : `/${path}`
+    return `${this.baseUrl}/api/v1/auth/${this.projectSlug}${p}`
+  }
+
+  async request<T>(
+    path: string,
+    init: RequestInit & {
+      json?: unknown
+      bearer?: string
+    } = {},
+  ): Promise<T> {
+    const headers = new Headers(init.headers)
+    headers.set("Accept", "application/json")
+    if (init.json !== undefined) {
+      headers.set("Content-Type", "application/json")
+    }
+    // Auth precedence: explicit `bearer` (user access token) > project `apiKey`.
+    // Caller chooses the one that fits the endpoint.
+    if (init.bearer) {
+      headers.set("Authorization", `Bearer ${init.bearer}`)
+    } else if (this.apiKey) {
+      headers.set("Authorization", `Bearer ${this.apiKey}`)
+    }
+
+    const res = await fetch(this.url(path), {
+      ...init,
+      headers,
+      body: init.json !== undefined ? JSON.stringify(init.json) : init.body,
+    })
+
+    let payload: unknown = null
+    const ct = res.headers.get("content-type") ?? ""
+    if (ct.includes("application/json")) {
+      try {
+        payload = await res.json()
+      } catch {
+        payload = null
+      }
+    }
+
+    if (!res.ok) {
+      const err =
+        payload && typeof payload === "object"
+          ? (payload as { error?: string; error_description?: string })
+          : {}
+      throw new SentroyAuthError(
+        err.error ?? "http_error",
+        err.error_description ?? `HTTP ${res.status}`,
+        res.status,
+      )
+    }
+
+    // Sentroy admin endpoints wrap in `{data}`; public endpoints sometimes
+    // too. SDK auto-unwraps when present so callers don't keep .data on
+    // every call.
+    if (
+      payload &&
+      typeof payload === "object" &&
+      "data" in (payload as Record<string, unknown>)
+    ) {
+      return (payload as { data: T }).data
+    }
+    return payload as T
+  }
+}

package/src/auth/index.ts

@@ -0,0 +1,35 @@
+/**
+ * Sentroy Auth-as-a-Service — browser/server SDK entry.
+ *
+ *   import { SentroyAuth } from "@sentroy-co/client-sdk/auth"
+ *   const auth = new SentroyAuth({ projectSlug: "my-app" })
+ *
+ * For server admin operations (verifyIdToken, etc):
+ *   import { SentroyAuthAdmin } from "@sentroy-co/client-sdk/auth/admin"
+ *
+ * For React integration:
+ *   import { SentroyAuthProvider, useAuth } from "@sentroy-co/client-sdk/auth/react"
+ */
+
+export { SentroyAuth } from "./client"
+export type {
+  SentroyAuthOptions,
+  AuthStateChangeListener,
+  AuthStorageAdapter,
+} from "./client"
+export {
+  SentroyAuthError,
+  type SentroyAuthUser,
+  type SignupResponse,
+  type LoginResponse,
+  type AuthTokensResponse,
+  type LoginOutcome,
+  type MfaChallengeResponse,
+  type SessionSummary,
+  type ActivityEntry,
+  type MfaStatus,
+  type MfaEnrollResponse,
+  type MfaVerifyEnrollmentResponse,
+  type PasskeySummary,
+  type SocialProvider,
+} from "./types"

package/src/auth/react/index.tsx

@@ -0,0 +1,351 @@
+"use client"
+
+import {
+  createContext,
+  useCallback,
+  useContext,
+  useEffect,
+  useMemo,
+  useState,
+  type ReactNode,
+} from "react"
+import { SentroyAuth, type SentroyAuthOptions } from "../client"
+import type {
+  SentroyAuthUser,
+  SessionSummary,
+  ActivityEntry,
+  MfaStatus,
+  PasskeySummary,
+} from "../types"
+
+/**
+ * Sentroy Auth React integration.
+ *
+ *   <SentroyAuthProvider projectSlug="my-app">
+ *     <App />
+ *   </SentroyAuthProvider>
+ *
+ *   const { user, loading, signIn, signOut } = useAuth()
+ *
+ * Provider içeride tek bir `SentroyAuth` instance tutar (mount/unmount
+ * arasında stable), `onAuthStateChanged` ile React state'i senkron tutar.
+ * `loading` ilk render → restore tamam mı henüz değil ayrımı için.
+ *
+ * Yeni method'lar (MFA, magic link, passkey, social, /me/*) tüm
+ * `auth` instance üzerinden erişilebilir — context'te kısayol olarak
+ * en sık kullanılanlar mevcut.
+ */
+
+interface AuthContextValue {
+  /** Underlying SDK instance — gelişmiş senaryolarda doğrudan kullan. */
+  auth: SentroyAuth
+  user: SentroyAuthUser | null
+  /** True iken provider ilk state'i restore etmiş değil — UI'da
+   *  "spinner" göster, "redirect to /login" tetikleme. */
+  loading: boolean
+  // Sık kullanılan kısayollar (proxies)
+  signIn: SentroyAuth["signIn"]
+  signUp: SentroyAuth["signUp"]
+  signOut: SentroyAuth["signOut"]
+  sendPasswordReset: SentroyAuth["sendPasswordReset"]
+  verifyEmail: SentroyAuth["verifyEmail"]
+  verifyMfa: SentroyAuth["verifyMfa"]
+  sendMagicLink: SentroyAuth["sendMagicLink"]
+  consumeMagicLink: SentroyAuth["consumeMagicLink"]
+  acceptInvitation: SentroyAuth["acceptInvitation"]
+  socialAuthorizeUrl: SentroyAuth["socialAuthorizeUrl"]
+  consumeRedirectFragment: SentroyAuth["consumeRedirectFragment"]
+}
+
+const AuthContext = createContext<AuthContextValue | null>(null)
+
+export function SentroyAuthProvider({
+  children,
+  autoConsumeFragment = true,
+  ...opts
+}: SentroyAuthOptions & {
+  children: ReactNode
+  /** Mount'ta `window.location.hash`'ten social-login fragment'ı
+   *  consume et — default true. RP'nin redirectUri'sinde session
+   *  otomatik kurulur. */
+  autoConsumeFragment?: boolean
+}) {
+  // Single instance — opts deep-compare'a girersek dependency drift'i
+  // restart'a yol açar. Caller `projectSlug` değiştirmemeli runtime'da.
+  const auth = useMemo(
+    () => new SentroyAuth(opts),
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+    [opts.projectSlug, opts.authBaseUrl, opts.apiKey],
+  )
+  const [user, setUser] = useState<SentroyAuthUser | null>(auth.user)
+  const [loading, setLoading] = useState(true)
+
+  useEffect(() => {
+    const unsubscribe = auth.onAuthStateChanged((u) => {
+      setUser(u)
+      setLoading(false)
+    })
+    return unsubscribe
+  }, [auth])
+
+  // Social login redirect handler — fragment varsa otomatik consume
+  useEffect(() => {
+    if (!autoConsumeFragment) return
+    if (typeof window === "undefined") return
+    if (!window.location.hash.includes("access_token=")) return
+    auth.consumeRedirectFragment().catch(() => {
+      // Fragment varsa ama consume fail ise sessizce yut — caller
+      // gerekirse manuel tekrar dener.
+    })
+  }, [auth, autoConsumeFragment])
+
+  const value = useMemo<AuthContextValue>(
+    () => ({
+      auth,
+      user,
+      loading,
+      signIn: (i) => auth.signIn(i),
+      signUp: (i) => auth.signUp(i),
+      signOut: () => auth.signOut(),
+      sendPasswordReset: (e) => auth.sendPasswordReset(e),
+      verifyEmail: (t) => auth.verifyEmail(t),
+      verifyMfa: (i) => auth.verifyMfa(i),
+      sendMagicLink: (i) => auth.sendMagicLink(i),
+      consumeMagicLink: (t) => auth.consumeMagicLink(t),
+      acceptInvitation: (i) => auth.acceptInvitation(i),
+      socialAuthorizeUrl: (p, o) => auth.socialAuthorizeUrl(p, o),
+      consumeRedirectFragment: () => auth.consumeRedirectFragment(),
+    }),
+    [auth, user, loading],
+  )
+
+  return <AuthContext.Provider value={value}>{children}</AuthContext.Provider>
+}
+
+export function useAuth(): AuthContextValue {
+  const ctx = useContext(AuthContext)
+  if (!ctx) {
+    throw new Error(
+      "useAuth must be used inside <SentroyAuthProvider> — wrap your app root.",
+    )
+  }
+  return ctx
+}
+
+/**
+ * Convenience: yalnızca current user istenirse. `loading` durumunda null
+ * dönerken bekleyebilirsin.
+ */
+export function useUser(): SentroyAuthUser | null {
+  return useAuth().user
+}
+
+/**
+ * Reactive sessions hook — `/me/sessions` çağırır, refresh trigger eden
+ * `refresh()` döner. Manual revoke sonrası caller `refresh()` çağırır.
+ */
+export function useSessions(): {
+  sessions: SessionSummary[] | null
+  loading: boolean
+  error: Error | null
+  refresh: () => Promise<void>
+  revoke: (id: string) => Promise<void>
+} {
+  const { auth, user } = useAuth()
+  const [sessions, setSessions] = useState<SessionSummary[] | null>(null)
+  const [loading, setLoading] = useState(false)
+  const [error, setError] = useState<Error | null>(null)
+
+  const refresh = useCallback(async () => {
+    if (!user) {
+      setSessions(null)
+      return
+    }
+    setLoading(true)
+    setError(null)
+    try {
+      const data = await auth.listSessions()
+      setSessions(data)
+    } catch (e) {
+      setError(e instanceof Error ? e : new Error(String(e)))
+    } finally {
+      setLoading(false)
+    }
+  }, [auth, user])
+
+  useEffect(() => {
+    refresh()
+  }, [refresh])
+
+  const revoke = useCallback(
+    async (id: string) => {
+      await auth.revokeSession(id)
+      await refresh()
+    },
+    [auth, refresh],
+  )
+
+  return { sessions, loading, error, refresh, revoke }
+}
+
+/**
+ * Reactive activity log hook — `/me/activity`. RP'nin "recent activity"
+ * tab'ı için.
+ */
+export function useActivity(): {
+  activity: ActivityEntry[] | null
+  loading: boolean
+  error: Error | null
+  refresh: () => Promise<void>
+} {
+  const { auth, user } = useAuth()
+  const [activity, setActivity] = useState<ActivityEntry[] | null>(null)
+  const [loading, setLoading] = useState(false)
+  const [error, setError] = useState<Error | null>(null)
+
+  const refresh = useCallback(async () => {
+    if (!user) {
+      setActivity(null)
+      return
+    }
+    setLoading(true)
+    setError(null)
+    try {
+      const data = await auth.getActivity()
+      setActivity(data)
+    } catch (e) {
+      setError(e instanceof Error ? e : new Error(String(e)))
+    } finally {
+      setLoading(false)
+    }
+  }, [auth, user])
+
+  useEffect(() => {
+    refresh()
+  }, [refresh])
+
+  return { activity, loading, error, refresh }
+}
+
+/**
+ * Reactive MFA status. enroll / verify / disable wrapper'ları, status
+ * otomatik yeniden çekilir.
+ */
+export function useMfa(): {
+  status: MfaStatus | null
+  loading: boolean
+  error: Error | null
+  refresh: () => Promise<void>
+  enrollTotp: SentroyAuth["mfa"]["enrollTotp"]
+  verifyTotpEnrollment: (code: string) => Promise<void>
+  disableTotp: (currentPassword: string) => Promise<void>
+} {
+  const { auth, user } = useAuth()
+  const [status, setStatus] = useState<MfaStatus | null>(null)
+  const [loading, setLoading] = useState(false)
+  const [error, setError] = useState<Error | null>(null)
+
+  const refresh = useCallback(async () => {
+    if (!user) {
+      setStatus(null)
+      return
+    }
+    setLoading(true)
+    setError(null)
+    try {
+      const data = await auth.mfa.getStatus()
+      setStatus(data)
+    } catch (e) {
+      setError(e instanceof Error ? e : new Error(String(e)))
+    } finally {
+      setLoading(false)
+    }
+  }, [auth, user])
+
+  useEffect(() => {
+    refresh()
+  }, [refresh])
+
+  const verifyTotpEnrollment = useCallback(
+    async (code: string) => {
+      await auth.mfa.verifyTotpEnrollment(code)
+      await refresh()
+    },
+    [auth, refresh],
+  )
+
+  const disableTotp = useCallback(
+    async (currentPassword: string) => {
+      await auth.mfa.disableTotp(currentPassword)
+      await refresh()
+    },
+    [auth, refresh],
+  )
+
+  return {
+    status,
+    loading,
+    error,
+    refresh,
+    enrollTotp: () => auth.mfa.enrollTotp(),
+    verifyTotpEnrollment,
+    disableTotp,
+  }
+}
+
+/**
+ * Reactive passkey list — list/delete/register, mutation sonrası
+ * otomatik refresh.
+ */
+export function usePasskeys(): {
+  passkeys: PasskeySummary[] | null
+  loading: boolean
+  error: Error | null
+  refresh: () => Promise<void>
+  register: (deviceName?: string) => Promise<void>
+  remove: (id: string) => Promise<void>
+} {
+  const { auth, user } = useAuth()
+  const [passkeys, setPasskeys] = useState<PasskeySummary[] | null>(null)
+  const [loading, setLoading] = useState(false)
+  const [error, setError] = useState<Error | null>(null)
+
+  const refresh = useCallback(async () => {
+    if (!user) {
+      setPasskeys(null)
+      return
+    }
+    setLoading(true)
+    setError(null)
+    try {
+      const data = await auth.passkey.list()
+      setPasskeys(data)
+    } catch (e) {
+      setError(e instanceof Error ? e : new Error(String(e)))
+    } finally {
+      setLoading(false)
+    }
+  }, [auth, user])
+
+  useEffect(() => {
+    refresh()
+  }, [refresh])
+
+  const register = useCallback(
+    async (deviceName?: string) => {
+      await auth.passkey.register(deviceName)
+      await refresh()
+    },
+    [auth, refresh],
+  )
+
+  const remove = useCallback(
+    async (id: string) => {
+      await auth.passkey.delete(id)
+      await refresh()
+    },
+    [auth, refresh],
+  )
+
+  return { passkeys, loading, error, refresh, register, remove }
+}

package/src/auth/types.ts

@@ -0,0 +1,126 @@
+/**
+ * Sentroy Auth-as-a-Service — SDK types.
+ *
+ * Public types are kept narrow on purpose: SDK shapes evolve with backend;
+ * caller code should depend on these names, not on hand-coded interfaces.
+ */
+
+export interface SentroyAuthUser {
+  id: string
+  authProjectId: string
+  email: string
+  emailVerified: boolean
+  displayName: string | null
+  image: string | null
+  metadata: Record<string, unknown>
+  lastLoginAt: string | null
+  createdAt: string
+  updatedAt: string
+}
+
+export interface AuthTokensResponse {
+  accessToken: string
+  refreshToken: string
+  expiresIn: number
+  tokenType: "Bearer"
+}
+
+export interface SignupResponse {
+  user: SentroyAuthUser
+  /** Email verification gerekiyorsa undefined; aksi halde set. */
+  accessToken?: string
+  refreshToken?: string
+  expiresIn?: number
+  tokenType?: "Bearer"
+  emailVerificationRequired?: boolean
+}
+
+export interface LoginResponse {
+  user: SentroyAuthUser
+  accessToken: string
+  refreshToken: string
+  expiresIn: number
+  tokenType: "Bearer"
+}
+
+export interface AuthApiError {
+  error: string
+  error_description: string
+}
+
+export class SentroyAuthError extends Error {
+  readonly code: string
+  readonly status: number
+  constructor(code: string, message: string, status: number) {
+    super(message)
+    this.name = "SentroyAuthError"
+    this.code = code
+    this.status = status
+  }
+}
+
+/**
+ * Login response when MFA is enrolled — first step returns mfaRequired+
+ * mfaToken; second step `verifyMfa(mfaToken, code)` issues final tokens.
+ */
+export interface MfaChallengeResponse {
+  mfaRequired: true
+  mfaToken: string
+  factorType: "totp"
+}
+
+/** Discriminated union — Login may resolve to tokens OR MFA challenge. */
+export type LoginOutcome =
+  | { kind: "tokens"; data: LoginResponse }
+  | { kind: "mfa"; data: MfaChallengeResponse }
+
+export interface SessionSummary {
+  id: string
+  refreshTokenPrefix: string
+  userAgent: string | null
+  ip: string | null
+  expiresAt: string
+  createdAt: string
+}
+
+export interface ActivityEntry {
+  id: string
+  action: string
+  ipAddress: string | null
+  createdAt: string
+  details: Record<string, unknown> | null
+}
+
+export interface MfaStatus {
+  enrolled: boolean
+  factorType?: "totp"
+  verifiedAt?: string | null
+  recoveryCodesRemaining?: number
+}
+
+export interface MfaEnrollResponse {
+  secret: string
+  otpauthUri: string
+}
+
+export interface MfaVerifyEnrollmentResponse {
+  enrolled: true
+  recoveryCodes: string[]
+}
+
+export interface PasskeySummary {
+  id: string
+  credentialIdPrefix: string
+  deviceName: string | null
+  transports: string[]
+  lastUsedAt: string | null
+  createdAt: string
+}
+
+export type SocialProvider =
+  | "google"
+  | "github"
+  | "facebook"
+  | "microsoft"
+  | "twitter"
+  | "apple"