@shellui/core 0.2.0-beta.5 → 0.3.0-beta.0

package/src/features/auth/backends/shellui.ts

@@ -0,0 +1,278 @@
+import {
+  buildSessionFromParams,
+  getShellUILoginClientTimezone,
+  getShellUILoginDeviceId,
+  isSessionExpired,
+  normalizeAuthSettings,
+  normalizeRedirectPath,
+} from '../utils';
+import { getShellUILoginCompanyId } from '../utils/clientLoginContext';
+import type { AuthSession, UserPreferences } from '../types';
+import type { AuthBackend } from './types';
+
+const USER_PREFERENCES_ENDPOINT = '/api/v1/preferences';
+const OAUTH_EXCHANGE_ENDPOINT = '/api/v1/oauth/exchange';
+
+export const createShellUIAuthBackend = ({
+  backendUrl,
+  companyId,
+}: {
+  backendUrl: string | null;
+  companyId?: string | number;
+}): AuthBackend => {
+  const refreshWithStoredToken = async (
+    storedSession: AuthSession,
+    nowSeconds: number,
+  ): Promise<AuthSession | null> => {
+    if (!backendUrl || !storedSession.refreshToken) return null;
+
+    const refreshUrl = new URL(`${backendUrl}/api/v1/token`);
+    refreshUrl.searchParams.set('grant_type', 'refresh_token');
+    const clientTz = getShellUILoginClientTimezone();
+    const response = await fetch(refreshUrl.toString(), {
+      method: 'POST',
+      headers: {
+        Accept: 'application/json',
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        refresh_token: storedSession.refreshToken,
+        ...(clientTz ? { client_timezone: clientTz } : {}),
+      }),
+    });
+    if (!response.ok) {
+      throw new Error(`HTTP ${response.status}`);
+    }
+
+    const payload = (await response.json()) as Record<string, unknown>;
+    const refreshParams = new URLSearchParams();
+    if (typeof payload.access_token === 'string')
+      refreshParams.set('access_token', payload.access_token);
+    if (typeof payload.refresh_token === 'string')
+      refreshParams.set('refresh_token', payload.refresh_token);
+    if (typeof payload.expires_at === 'number' || typeof payload.expires_at === 'string') {
+      refreshParams.set('expires_at', String(payload.expires_at));
+    }
+    if (typeof payload.expires_in === 'number' || typeof payload.expires_in === 'string') {
+      refreshParams.set('expires_in', String(payload.expires_in));
+    }
+    if (typeof payload.token_type === 'string') refreshParams.set('token_type', payload.token_type);
+    return buildSessionFromParams(refreshParams, nowSeconds);
+  };
+
+  return {
+    type: 'shellui',
+    readSessionFromCallback: (locationHash, nowSeconds) => {
+      const hashParams = new URLSearchParams(locationHash.replace(/^#/, ''));
+      return buildSessionFromParams(hashParams, nowSeconds);
+    },
+    exchangeOAuthCode: async ({ provider, code, redirectUri, oauthClientId, nowSeconds }) => {
+      if (!backendUrl) {
+        throw new Error('Missing ShellUI backend URL.');
+      }
+      const selectedCompanyId = getShellUILoginCompanyId(companyId);
+      if (!selectedCompanyId) {
+        throw new Error('Missing company_id for OAuth exchange.');
+      }
+      const endpoint = new URL(`${backendUrl}${OAUTH_EXCHANGE_ENDPOINT}`);
+      endpoint.searchParams.set('company_id', selectedCompanyId);
+      const clientTz = getShellUILoginClientTimezone();
+      const clientDeviceId = getShellUILoginDeviceId();
+      const response = await fetch(endpoint.toString(), {
+        method: 'POST',
+        headers: {
+          Accept: 'application/json',
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+          provider,
+          code,
+          redirect_uri: redirectUri,
+          ...(typeof oauthClientId === 'number' &&
+          Number.isFinite(oauthClientId) &&
+          oauthClientId > 0
+            ? { company_oauth_client_id: Math.trunc(oauthClientId) }
+            : {}),
+          ...(clientTz ? { client_timezone: clientTz } : {}),
+          ...(clientDeviceId ? { client_device_id: clientDeviceId } : {}),
+        }),
+      });
+      const payload = (await response.json().catch(() => null)) as Record<string, unknown> | null;
+      if (!response.ok) {
+        const err = payload?.error ?? payload?.detail;
+        throw new Error(typeof err === 'string' && err.trim() ? err : `HTTP ${response.status}`);
+      }
+      const refreshParams = new URLSearchParams();
+      if (typeof payload?.access_token === 'string')
+        refreshParams.set('access_token', payload.access_token);
+      if (typeof payload?.refresh_token === 'string')
+        refreshParams.set('refresh_token', payload.refresh_token);
+      if (typeof payload?.expires_at === 'number' || typeof payload?.expires_at === 'string') {
+        refreshParams.set('expires_at', String(payload.expires_at));
+      }
+      if (typeof payload?.expires_in === 'number' || typeof payload?.expires_in === 'string') {
+        refreshParams.set('expires_in', String(payload.expires_in));
+      }
+      if (typeof payload?.token_type === 'string')
+        refreshParams.set('token_type', payload.token_type);
+      return buildSessionFromParams(refreshParams, nowSeconds);
+    },
+    restoreSession: async (storedSession, nowSeconds) => {
+      if (!storedSession) return null;
+      if (!isSessionExpired(storedSession)) return storedSession;
+      return refreshWithStoredToken(storedSession, nowSeconds);
+    },
+    refreshAuthSession: async (currentSession, nowSeconds) => {
+      if (!currentSession?.refreshToken) return null;
+      return refreshWithStoredToken(currentSession, nowSeconds);
+    },
+    startOAuth: (provider, redirectPath, oauthClientId) => {
+      if (!backendUrl) {
+        throw new Error('Missing ShellUI backend URL.');
+      }
+      const redirectToUrl = new URL(
+        `${window.location.origin}${normalizeRedirectPath(redirectPath)}`,
+      );
+      redirectToUrl.searchParams.set('provider', provider);
+      if (
+        typeof oauthClientId === 'number' &&
+        Number.isFinite(oauthClientId) &&
+        oauthClientId > 0
+      ) {
+        redirectToUrl.searchParams.set(
+          'company_oauth_client_id',
+          String(Math.trunc(oauthClientId)),
+        );
+      }
+      const redirectTo = redirectToUrl.toString();
+      const authorizeUrl = new URL(`${backendUrl}/api/v1/authorize`);
+      authorizeUrl.searchParams.set('provider', provider);
+      authorizeUrl.searchParams.set('redirect_to', redirectTo);
+      if (
+        typeof oauthClientId === 'number' &&
+        Number.isFinite(oauthClientId) &&
+        oauthClientId > 0
+      ) {
+        authorizeUrl.searchParams.set('company_oauth_client_id', String(Math.trunc(oauthClientId)));
+      }
+      const selectedCompanyId = getShellUILoginCompanyId(companyId);
+      if (selectedCompanyId) {
+        authorizeUrl.searchParams.set('company_id', selectedCompanyId);
+      }
+      const clientTz = getShellUILoginClientTimezone();
+      if (clientTz) {
+        authorizeUrl.searchParams.set('client_timezone', clientTz);
+      }
+      const clientDeviceId = getShellUILoginDeviceId();
+      if (clientDeviceId) {
+        authorizeUrl.searchParams.set('client_device_id', clientDeviceId);
+      }
+      window.location.assign(authorizeUrl.toString());
+    },
+    startWeb3Ethereum: async () => {
+      throw new Error('Ethereum wallet login is not supported by the shellui backend.');
+    },
+    logout: async (session) => {
+      if (!backendUrl || !session?.accessToken) {
+        return;
+      }
+      const endpoint = new URL(`${backendUrl}/api/v1/logout`);
+      await fetch(endpoint.toString(), {
+        method: 'POST',
+        headers: {
+          Accept: 'application/json',
+          Authorization: `Bearer ${session.accessToken}`,
+        },
+      });
+    },
+    getAuthSettings: async () => {
+      if (!backendUrl) {
+        return { methods: [], oauthProviders: [], oauthClients: [] };
+      }
+      const endpoint = new URL(`${backendUrl}/api/v1/settings`);
+      const selectedCompanyId = getShellUILoginCompanyId(companyId);
+      if (selectedCompanyId) {
+        endpoint.searchParams.set('company_id', selectedCompanyId);
+      }
+      const response = await fetch(endpoint.toString(), {
+        method: 'GET',
+        headers: { Accept: 'application/json' },
+      });
+      if (!response.ok) {
+        throw new Error(`HTTP ${response.status}`);
+      }
+      const payload = (await response.json()) as unknown;
+      return normalizeAuthSettings(payload);
+    },
+    sendMagicLink: async (email, redirectPath) => {
+      if (!backendUrl) {
+        throw new Error('Missing ShellUI backend URL.');
+      }
+      const emailRedirectTo = `${window.location.origin}${normalizeRedirectPath(redirectPath)}`;
+      const response = await fetch(`${backendUrl}/api/v1/otp`, {
+        method: 'POST',
+        headers: {
+          Accept: 'application/json',
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+          email,
+          create_user: true,
+          email_redirect_to: emailRedirectTo,
+        }),
+      });
+      if (!response.ok) {
+        const payload = (await response.json().catch(() => null)) as {
+          msg?: string;
+          message?: string;
+          error?: string;
+        } | null;
+        throw new Error(
+          payload?.msg ??
+            payload?.message ??
+            payload?.error ??
+            `Could not send magic link (HTTP ${response.status}).`,
+        );
+      }
+    },
+    syncUserPreferences: async (session, preferences: UserPreferences) => {
+      if (!backendUrl || !session?.accessToken) {
+        return;
+      }
+      const endpoint = new URL(`${backendUrl}${USER_PREFERENCES_ENDPOINT}`);
+      const response = await fetch(endpoint.toString(), {
+        method: 'PUT',
+        headers: {
+          Accept: 'application/json',
+          'Content-Type': 'application/json',
+          Authorization: `Bearer ${session.accessToken}`,
+        },
+        body: JSON.stringify(preferences),
+      });
+      if (!response.ok) {
+        throw new Error(`HTTP ${response.status}`);
+      }
+    },
+    loadUserPreferences: async (session) => {
+      if (!backendUrl || !session?.accessToken) {
+        return null;
+      }
+      const endpoint = new URL(`${backendUrl}${USER_PREFERENCES_ENDPOINT}`);
+      const response = await fetch(endpoint.toString(), {
+        method: 'GET',
+        headers: {
+          Accept: 'application/json',
+          Authorization: `Bearer ${session.accessToken}`,
+        },
+      });
+      if (!response.ok) {
+        throw new Error(`HTTP ${response.status}`);
+      }
+      const preferences = (await response.json()) as Record<string, unknown>;
+      if (!preferences || typeof preferences !== 'object') {
+        return null;
+      }
+      return preferences as UserPreferences;
+    },
+  };
+};

package/src/features/auth/backends/supabase.ts

@@ -0,0 +1,300 @@
+import {
+  buildSessionFromParams,
+  isSessionExpired,
+  normalizeAuthSettings,
+  normalizeRedirectPath,
+} from '../utils';
+import { normalizeJwtUserGroups } from '../utils/decodeJwtPayload';
+import type { AuthSession, UserPreferences } from '../types';
+import type { AuthBackend } from './types';
+import { createClient } from '@supabase/supabase-js';
+
+const USER_METADATA_ENDPOINT = '/auth/v1/user';
+const APP_PREFERENCES_METADATA_KEY = 'shelluiPreferences';
+
+const buildSessionFromSupabaseSession = (session: {
+  access_token: string;
+  refresh_token: string;
+  token_type?: string;
+  expires_at?: number;
+  user?: {
+    id?: string;
+    email?: string;
+    app_metadata?: Record<string, unknown>;
+    user_metadata?: Record<string, unknown>;
+  };
+}): AuthSession => {
+  const userMetadata = session.user?.user_metadata ?? {};
+  const appMetadata = session.user?.app_metadata ?? {};
+  return {
+    accessToken: session.access_token,
+    refreshToken: session.refresh_token,
+    tokenType: session.token_type ?? 'bearer',
+    expiresAt: session.expires_at ?? Math.floor(Date.now() / 1000) + 3600,
+    provider: typeof appMetadata.provider === 'string' ? appMetadata.provider : 'ethereum',
+    userId: session.user?.id ?? null,
+    userEmail: session.user?.email ?? null,
+    userName:
+      typeof userMetadata.full_name === 'string'
+        ? userMetadata.full_name
+        : typeof userMetadata.name === 'string'
+          ? userMetadata.name
+          : null,
+    userAvatarUrl: typeof userMetadata.avatar_url === 'string' ? userMetadata.avatar_url : null,
+    userIsStaff: userMetadata.is_staff === true,
+    userIsCompanyOwner: userMetadata.is_company_owner === true,
+    userGroups: normalizeJwtUserGroups(userMetadata.groups),
+    userPreferences:
+      userMetadata.shelluiPreferences && typeof userMetadata.shelluiPreferences === 'object'
+        ? (userMetadata.shelluiPreferences as UserPreferences)
+        : null,
+  };
+};
+
+export const createSupabaseAuthBackend = ({
+  backendUrl,
+  publishableKey,
+}: {
+  backendUrl: string | null;
+  publishableKey: string | undefined;
+}): AuthBackend => {
+  const refreshWithStoredToken = async (
+    storedSession: AuthSession,
+    nowSeconds: number,
+  ): Promise<AuthSession | null> => {
+    if (!backendUrl || !publishableKey || !storedSession.refreshToken) return null;
+
+    const refreshUrl = new URL(`${backendUrl}/auth/v1/token`);
+    refreshUrl.searchParams.set('grant_type', 'refresh_token');
+    refreshUrl.searchParams.set('apikey', publishableKey);
+
+    const response = await fetch(refreshUrl.toString(), {
+      method: 'POST',
+      headers: {
+        Accept: 'application/json',
+        'Content-Type': 'application/json',
+        apikey: publishableKey,
+        Authorization: `Bearer ${publishableKey}`,
+      },
+      body: JSON.stringify({ refresh_token: storedSession.refreshToken }),
+    });
+
+    if (!response.ok) {
+      throw new Error(`HTTP ${response.status}`);
+    }
+
+    const payload = (await response.json()) as Record<string, unknown>;
+    const refreshParams = new URLSearchParams();
+    if (typeof payload.access_token === 'string')
+      refreshParams.set('access_token', payload.access_token);
+    if (typeof payload.refresh_token === 'string') {
+      refreshParams.set('refresh_token', payload.refresh_token);
+    }
+    if (typeof payload.expires_at === 'number' || typeof payload.expires_at === 'string') {
+      refreshParams.set('expires_at', String(payload.expires_at));
+    }
+    if (typeof payload.expires_in === 'number' || typeof payload.expires_in === 'string') {
+      refreshParams.set('expires_in', String(payload.expires_in));
+    }
+    if (typeof payload.token_type === 'string') refreshParams.set('token_type', payload.token_type);
+
+    return buildSessionFromParams(refreshParams, nowSeconds);
+  };
+
+  return {
+    type: 'supabase',
+    readSessionFromCallback: (locationHash, nowSeconds) => {
+      const hashParams = new URLSearchParams(locationHash.replace(/^#/, ''));
+      return buildSessionFromParams(hashParams, nowSeconds);
+    },
+    exchangeOAuthCode: async () => null,
+    restoreSession: async (storedSession, nowSeconds) => {
+      if (!storedSession) return null;
+      if (!isSessionExpired(storedSession)) return storedSession;
+      return refreshWithStoredToken(storedSession, nowSeconds);
+    },
+    refreshAuthSession: async (currentSession, nowSeconds) => {
+      if (!currentSession?.refreshToken) return null;
+      return refreshWithStoredToken(currentSession, nowSeconds);
+    },
+    startOAuth: (provider, redirectPath) => {
+      if (!backendUrl || !publishableKey) {
+        throw new Error('Missing Supabase backend URL or publishableKey.');
+      }
+      const redirectTo = `${window.location.origin}${normalizeRedirectPath(redirectPath)}`;
+      const authorizeUrl = new URL(`${backendUrl}/auth/v1/authorize`);
+      authorizeUrl.searchParams.set('provider', provider);
+      authorizeUrl.searchParams.set('redirect_to', redirectTo);
+      authorizeUrl.searchParams.set('apikey', publishableKey);
+      window.location.assign(authorizeUrl.toString());
+    },
+    startWeb3Ethereum: async () => {
+      if (!backendUrl || !publishableKey) {
+        throw new Error('Missing Supabase backend URL or publishableKey.');
+      }
+      if (
+        typeof window === 'undefined' ||
+        typeof (window as Window & { ethereum?: unknown }).ethereum === 'undefined'
+      ) {
+        throw new Error('No Ethereum wallet found. Install a wallet like MetaMask.');
+      }
+
+      const supabase = createClient(backendUrl, publishableKey, {
+        auth: {
+          persistSession: false,
+          autoRefreshToken: false,
+          detectSessionInUrl: false,
+        },
+      });
+
+      const { data, error } = await supabase.auth.signInWithWeb3({
+        chain: 'ethereum',
+        statement: `Sign in to ${window.location.host}`,
+      });
+      if (error) {
+        throw new Error(error.message);
+      }
+
+      const session = data.session;
+      if (!session?.access_token || !session.refresh_token) {
+        throw new Error('Ethereum sign-in completed but no session was returned.');
+      }
+      return buildSessionFromSupabaseSession(session);
+    },
+    logout: async (session) => {
+      if (!backendUrl || !publishableKey || !session?.accessToken) {
+        return;
+      }
+
+      const signOutUrl = new URL(`${backendUrl}/auth/v1/logout`);
+      signOutUrl.searchParams.set('apikey', publishableKey);
+      await fetch(signOutUrl.toString(), {
+        method: 'POST',
+        headers: {
+          Accept: 'application/json',
+          apikey: publishableKey,
+          Authorization: `Bearer ${session.accessToken}`,
+        },
+      });
+    },
+    getAuthSettings: async () => {
+      if (!backendUrl) {
+        return { methods: [], oauthProviders: [], oauthClients: [] };
+      }
+
+      const endpoint = new URL(`${backendUrl}/auth/v1/settings`);
+      if (publishableKey) {
+        endpoint.searchParams.set('apikey', publishableKey);
+      }
+
+      const headers: HeadersInit = { Accept: 'application/json' };
+      if (publishableKey) {
+        headers.apikey = publishableKey;
+        headers.Authorization = `Bearer ${publishableKey}`;
+      }
+
+      const response = await fetch(endpoint.toString(), { method: 'GET', headers });
+      if (!response.ok) {
+        throw new Error(`HTTP ${response.status}`);
+      }
+
+      const payload = (await response.json()) as unknown;
+      return normalizeAuthSettings(payload);
+    },
+    sendMagicLink: async (email, redirectPath) => {
+      if (!backendUrl || !publishableKey) {
+        throw new Error('Missing Supabase backend URL or publishableKey.');
+      }
+
+      const otpUrl = new URL(`${backendUrl}/auth/v1/otp`);
+      otpUrl.searchParams.set('apikey', publishableKey);
+      const emailRedirectTo = `${window.location.origin}${normalizeRedirectPath(redirectPath)}`;
+
+      const response = await fetch(otpUrl.toString(), {
+        method: 'POST',
+        headers: {
+          Accept: 'application/json',
+          'Content-Type': 'application/json',
+          apikey: publishableKey,
+          Authorization: `Bearer ${publishableKey}`,
+        },
+        body: JSON.stringify({
+          email,
+          create_user: true,
+          email_redirect_to: emailRedirectTo,
+        }),
+      });
+
+      if (!response.ok) {
+        const payload = (await response.json().catch(() => null)) as {
+          msg?: string;
+          message?: string;
+          error_description?: string;
+        } | null;
+        throw new Error(
+          payload?.msg ??
+            payload?.message ??
+            payload?.error_description ??
+            `Could not send magic link (HTTP ${response.status}).`,
+        );
+      }
+    },
+    syncUserPreferences: async (session, preferences: UserPreferences) => {
+      if (!backendUrl || !publishableKey || !session?.accessToken) {
+        return;
+      }
+
+      const userUrl = new URL(`${backendUrl}${USER_METADATA_ENDPOINT}`);
+      userUrl.searchParams.set('apikey', publishableKey);
+
+      const response = await fetch(userUrl.toString(), {
+        method: 'PUT',
+        headers: {
+          Accept: 'application/json',
+          'Content-Type': 'application/json',
+          apikey: publishableKey,
+          Authorization: `Bearer ${session.accessToken}`,
+        },
+        body: JSON.stringify({
+          data: {
+            [APP_PREFERENCES_METADATA_KEY]: preferences,
+          },
+        }),
+      });
+
+      if (!response.ok) {
+        throw new Error(`HTTP ${response.status}`);
+      }
+    },
+    loadUserPreferences: async (session) => {
+      if (!backendUrl || !publishableKey || !session?.accessToken) {
+        return null;
+      }
+
+      const userUrl = new URL(`${backendUrl}${USER_METADATA_ENDPOINT}`);
+      userUrl.searchParams.set('apikey', publishableKey);
+
+      const response = await fetch(userUrl.toString(), {
+        method: 'GET',
+        headers: {
+          Accept: 'application/json',
+          apikey: publishableKey,
+          Authorization: `Bearer ${session.accessToken}`,
+        },
+      });
+
+      if (!response.ok) {
+        throw new Error(`HTTP ${response.status}`);
+      }
+
+      const payload = (await response.json()) as {
+        user_metadata?: Record<string, unknown>;
+      };
+      const preferences = payload.user_metadata?.[APP_PREFERENCES_METADATA_KEY];
+      if (!preferences || typeof preferences !== 'object') {
+        return null;
+      }
+      return preferences as UserPreferences;
+    },
+  };
+};

package/src/features/auth/backends/types.ts

@@ -0,0 +1,30 @@
+import type { BackendConfig } from '../../config/types';
+import type { AuthSession, AuthSettings, UserPreferences } from '../types';
+
+export interface AuthBackend {
+  type: BackendConfig['type'] | 'none';
+  readSessionFromCallback: (locationHash: string, nowSeconds: number) => AuthSession | null;
+  exchangeOAuthCode: (params: {
+    provider: string;
+    code: string;
+    redirectUri: string;
+    oauthClientId?: number;
+    nowSeconds: number;
+  }) => Promise<AuthSession | null>;
+  restoreSession: (
+    storedSession: AuthSession | null,
+    nowSeconds: number,
+  ) => Promise<AuthSession | null>;
+  /** Re-fetch tokens so the access JWT reflects latest user claims (e.g. after preference sync). */
+  refreshAuthSession: (
+    session: AuthSession | null,
+    nowSeconds: number,
+  ) => Promise<AuthSession | null>;
+  startOAuth: (provider: string, redirectPath: string, oauthClientId?: number) => void;
+  startWeb3Ethereum: () => Promise<AuthSession | null>;
+  logout: (session: AuthSession | null) => Promise<void>;
+  getAuthSettings: () => Promise<AuthSettings>;
+  sendMagicLink: (email: string, redirectPath: string) => Promise<void>;
+  syncUserPreferences: (session: AuthSession | null, preferences: UserPreferences) => Promise<void>;
+  loadUserPreferences: (session: AuthSession | null) => Promise<UserPreferences | null>;
+}