npm - @snackbase/sdk - Versions diffs - 0.2.0 → 0.3.0 - Mend

@snackbase/sdk 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.mjs CHANGED Viewed

@@ -36,8 +36,11 @@ var SnackBaseError = class SnackBaseError extends Error {
 	details;
 	field;
 	retryable;
-	constructor(message, code, status, details, retryable = false, field) {
+	constructor(message, code, status, details, retryable = false, field, redirectUrl, authProvider, providerName) {
 		super(message);
+		this.redirectUrl = redirectUrl;
+		this.authProvider = authProvider;
+		this.providerName = providerName;
 		this.name = this.constructor.name;
 		this.code = code;
 		this.status = status;
@@ -66,6 +69,30 @@ var AuthorizationError = class AuthorizationError extends SnackBaseError {
 	}
 };
 /**
+* Thrown when an API key is restricted to superadmin users (403).
+*/
+var ApiKeyRestrictedError = class ApiKeyRestrictedError extends SnackBaseError {
+	constructor(message, details) {
+		super(message || "API keys are restricted to superadmin users. Please use JWT authentication.", "API_KEY_RESTRICTED", 403, details || {
+			suggestion: "Remove apiKey config and use login() instead",
+			documentation: "https://docs.snackbase.com/authentication/api-keys"
+		}, false);
+		Object.setPrototypeOf(this, ApiKeyRestrictedError.prototype);
+	}
+};
+/**
+* Thrown when email verification is required (401).
+*/
+var EmailVerificationRequiredError = class EmailVerificationRequiredError extends SnackBaseError {
+	constructor(message, details) {
+		super(message || "Please check your email inbox to verify your account before logging in.", "EMAIL_VERIFICATION_REQUIRED", 401, details || {
+			suggestion: "Click the verification link sent to your email address",
+			canResend: true
+		}, false);
+		Object.setPrototypeOf(this, EmailVerificationRequiredError.prototype);
+	}
+};
+/**
 * Thrown when a resource is not found (404).
 */
 var NotFoundError = class NotFoundError extends SnackBaseError {
@@ -389,7 +416,9 @@ const contentTypeInterceptor = (request) => {
 const createAuthInterceptor = (getToken, apiKey) => {
 	return (request) => {
 		const isUserSpecific = request.url.includes("/auth/oauth/") || request.url.includes("/auth/saml/");
-		if (apiKey && !isUserSpecific) request.headers["X-API-Key"] = apiKey;
+		if (apiKey && !isUserSpecific) {
+			if (!(request.url.includes("/auth/login") || request.url.includes("/auth/register"))) request.headers["X-API-Key"] = apiKey;
+		}
 		const token = getToken();
 		if (token) request.headers["Authorization"] = `Bearer ${token}`;
 		return request;
@@ -433,6 +462,51 @@ function createErrorFromResponse(response) {
 			return new SnackBaseError(message, "UNKNOWN_ERROR", status, data, false);
 	}
 }
+/**
+* Enhanced error interceptor to handle 403 API key errors and preserve redirects.
+*/
+const createAuthErrorInterceptor = (onAuthError) => {
+	return (error) => {
+		if (error.status === 403 && error.details) {
+			const detail = error.details.detail || error.details.message || "";
+			if (detail.includes("superadmin") || detail.includes("restricted")) {
+				const restrictedError = new ApiKeyRestrictedError(detail, error.details);
+				if (onAuthError) onAuthError(restrictedError);
+				throw restrictedError;
+			}
+		}
+		if (error.status === 403 && error.details?.redirect_url) {
+			error.redirectUrl = error.details.redirect_url;
+			error.authProvider = error.details.auth_provider;
+			error.providerName = error.details.provider_name;
+		}
+		if (error.status === 401 && error.details) {
+			const detail = error.details.detail || error.details.message || "";
+			if (detail.includes("verify") || detail.includes("email")) {
+				const verificationError = new EmailVerificationRequiredError(detail, error.details);
+				if (onAuthError) onAuthError(verificationError);
+				throw verificationError;
+			}
+		}
+		if (error.status === 401 || error.status === 403) {
+			if (onAuthError) onAuthError(error);
+		}
+		throw error;
+	};
+};
+//#endregion
+//#region src/types/auth.ts
+/**
+* Token type enum matching backend TokenType
+*/
+let TokenType = /* @__PURE__ */ function(TokenType) {
+	TokenType["JWT"] = "jwt";
+	TokenType["API_KEY"] = "api_key";
+	TokenType["PERSONAL_TOKEN"] = "personal_token";
+	TokenType["OAUTH"] = "oauth";
+	return TokenType;
+}({});
 //#endregion
 //#region src/core/events.ts
@@ -453,6 +527,74 @@ var AuthEventEmitter = class {
 	}
 };
+//#endregion
+//#region src/core/constants.ts
+/**
+* System account ID for superadmin detection
+* Nil UUID format used by backend
+* @see https://github.com/snackbase/snackbase/blob/main/src/snackbase/infrastructure/api/middleware/authorization.py
+*/
+const SYSTEM_ACCOUNT_ID = "00000000-0000-0000-0000-000000000000";
+/**
+* Token type prefixes matching backend TokenCodec
+*/
+const TOKEN_PREFIXES = {
+	JWT: "sb_jwt",
+	API_KEY: "sb_ak",
+	PERSONAL_TOKEN: "sb_pt",
+	OAUTH: "sb_ot"
+};
+/**
+* Valid token prefixes for validation
+*/
+const VALID_TOKEN_PREFIXES = new Set(Object.values(TOKEN_PREFIXES));
+/**
+* API key endpoint path
+*/
+const API_KEY_BASE_PATH = "/api/v1/admin/api-keys";
+//#endregion
+//#region src/utils/token-utils.ts
+/**
+* Detect token type from token string
+* @param token - The token to analyze
+* @returns Detected token type or undefined
+*/
+function detectTokenType(token) {
+	if (!token) return void 0;
+	switch (token.split(".")[0]) {
+		case TOKEN_PREFIXES.API_KEY: return TokenType.API_KEY;
+		case TOKEN_PREFIXES.PERSONAL_TOKEN: return TokenType.PERSONAL_TOKEN;
+		case TOKEN_PREFIXES.OAUTH: return TokenType.OAUTH;
+		case TOKEN_PREFIXES.JWT: return TokenType.JWT;
+		default: return token.startsWith("ey") ? TokenType.JWT : void 0;
+	}
+}
+/**
+* Check if user is a superadmin
+* @param user - User object to check
+* @returns true if user is superadmin
+*/
+function isSuperadmin(user) {
+	if (!user) return false;
+	return user.account_id === SYSTEM_ACCOUNT_ID;
+}
+/**
+* Format masked API key for display
+* @param key - The full or masked key
+* @returns Formatted masked key
+*/
+function formatMaskedKey(key) {
+	if (!key) return "";
+	if (key.includes("...")) return key;
+	const parts = key.split(".");
+	if (parts.length === 3) {
+		const [, payload, signature] = parts;
+		return `${parts[0]}.${payload.slice(0, 4)}...${signature.slice(-4)}`;
+	}
+	return key;
+}
 //#endregion
 //#region src/core/auth.ts
 const DEFAULT_AUTH_STATE = {
@@ -461,7 +603,8 @@ const DEFAULT_AUTH_STATE = {
 	token: null,
 	refreshToken: null,
 	isAuthenticated: false,
-	expiresAt: null
+	expiresAt: null,
+	tokenType: TokenType.JWT
 };
 var AuthManager = class {
 	state = { ...DEFAULT_AUTH_STATE };
@@ -495,6 +638,76 @@ var AuthManager = class {
 	get isAuthenticated() {
 		return this.state.isAuthenticated;
 	}
+	get tokenType() {
+		return this.state.tokenType;
+	}
+	/**
+	* Update auth state (enhanced to extract token_type)
+	*/
+	async updateState(data) {
+		const user = data.user || (data.user_id ? {
+			id: data.user_id,
+			email: data.email || "",
+			role: data.role || "user",
+			account_id: data.account_id || "",
+			groups: [],
+			is_active: true,
+			created_at: "",
+			last_login: null,
+			token_type: TokenType.JWT
+		} : null);
+		const token = data.token || null;
+		const refreshToken = data.refresh_token || data.refreshToken || null;
+		let tokenType = TokenType.JWT;
+		if (token) tokenType = detectTokenType(token) || TokenType.JWT;
+		else if (user?.token_type) tokenType = user.token_type;
+		this.state = {
+			...this.state,
+			user,
+			account: data.account || (data.account_id ? {
+				id: data.account_id,
+				slug: "",
+				name: "",
+				created_at: ""
+			} : this.state.account),
+			token: token || this.state.token,
+			refreshToken: refreshToken || this.state.refreshToken,
+			isAuthenticated: !!((token || this.state.token) && user),
+			expiresAt: this.calculateExpiry(data) || this.state.expiresAt,
+			tokenType
+		};
+		await this.persist();
+		if (token || user) this.events.emit("auth:login", this.state);
+	}
+	/**
+	* Check if current user is superadmin
+	*/
+	isSuperadmin() {
+		return isSuperadmin(this.state.user);
+	}
+	/**
+	* Check if current session uses API key authentication
+	*/
+	isApiKeySession() {
+		return this.state.tokenType === TokenType.API_KEY;
+	}
+	/**
+	* Check if current session uses personal token authentication
+	*/
+	isPersonalTokenSession() {
+		return this.state.tokenType === TokenType.PERSONAL_TOKEN;
+	}
+	/**
+	* Check if current session uses OAuth authentication
+	*/
+	isOAuthSession() {
+		return this.state.tokenType === TokenType.OAUTH;
+	}
+	calculateExpiry(data) {
+		if (data.expiresAt) return data.expiresAt;
+		if (data.expires_in) return new Date(Date.now() + data.expires_in * 1e3).toISOString();
+		return null;
+	}
 	async setState(newState) {
 		this.state = {
 			...this.state,
@@ -569,21 +782,8 @@ var AuthService = class {
 		if (!data.account && this.defaultAccount) data.account = this.defaultAccount;
 		const authData = (await this.http.post("/api/v1/auth/login", data)).data;
 		console.log("Login Response:", JSON.stringify(authData, null, 2));
-		const refreshToken = authData.refresh_token || authData.refreshToken;
-		let expiresAt = authData.expiresAt;
-		if (authData.expires_in && !expiresAt) expiresAt = new Date(Date.now() + authData.expires_in * 1e3).toISOString();
-		await this.auth.setState({
-			user: authData.user || null,
-			account: authData.account || null,
-			token: authData.token || null,
-			refreshToken: refreshToken || null,
-			expiresAt: expiresAt || null
-		});
-		return {
-			...authData,
-			refreshToken,
-			expiresAt
-		};
+		await this.auth.updateState(authData);
+		return authData;
 	}
 	/**
 	* Register a new user and account.
@@ -600,19 +800,8 @@ var AuthService = class {
 		const refreshToken = this.auth.refreshToken;
 		if (!refreshToken) throw new Error("No refresh token available");
 		const authData = (await this.http.post("/api/v1/auth/refresh", { refresh_token: refreshToken })).data;
-		const newRefreshToken = authData.refresh_token || authData.refreshToken;
-		let expiresAt = authData.expiresAt;
-		if (authData.expires_in && !expiresAt) expiresAt = new Date(Date.now() + authData.expires_in * 1e3).toISOString();
-		await this.auth.setState({
-			token: authData.token || null,
-			refreshToken: newRefreshToken || null,
-			expiresAt: expiresAt || null
-		});
-		return {
-			...authData,
-			refreshToken: newRefreshToken,
-			expiresAt
-		};
+		await this.auth.updateState(authData);
+		return authData;
 	}
 	/**
 	* Log out the current user.
@@ -631,30 +820,8 @@ var AuthService = class {
 	async getCurrentUser() {
 		const authData = (await this.http.get("/api/v1/auth/me")).data;
 		console.log("GetMe Response:", JSON.stringify(authData, null, 2));
-		const user = authData.user || (authData.user_id ? {
-			id: authData.user_id,
-			email: authData.email || "",
-			role: authData.role || "user",
-			groups: [],
-			is_active: true,
-			created_at: "",
-			last_login: null
-		} : null);
-		const account = authData.account || (authData.account_id ? {
-			id: authData.account_id,
-			slug: "",
-			name: "",
-			created_at: ""
-		} : null);
-		await this.auth.setState({
-			user,
-			account
-		});
-		return {
-			...authData,
-			user: user || void 0,
-			account: account || void 0
-		};
+		await this.auth.updateState(authData);
+		return authData;
 	}
 	/**
 	* Initiate password reset flow.
@@ -727,13 +894,7 @@ var AuthService = class {
 			redirectUri,
 			state
 		})).data;
-		await this.auth.setState({
-			user: authData.user,
-			account: authData.account,
-			token: authData.token,
-			refreshToken: authData.refreshToken,
-			expiresAt: authData.expiresAt
-		});
+		await this.auth.updateState(authData);
 		return authData;
 	}
 	/**
@@ -752,13 +913,7 @@ var AuthService = class {
 	*/
 	async handleSAMLCallback(params) {
 		const authData = (await this.http.post("/api/v1/auth/saml/acs", params)).data;
-		await this.auth.setState({
-			user: authData.user,
-			account: authData.account,
-			token: authData.token,
-			refreshToken: authData.refreshToken,
-			expiresAt: authData.expiresAt
-		});
+		await this.auth.updateState(authData);
 		return authData;
 	}
 	/**
@@ -1372,33 +1527,34 @@ var ApiKeyService = class {
 		this.http = http;
 	}
 	/**
-	* List all API keys for the current user.
-	* Keys are masked except for the last 4 characters.
+	* List all API keys
+	* GET /api/v1/admin/api-keys
 	*/
-	async list() {
-		return (await this.http.get("/api/v1/admin/api-keys")).data;
+	async list(params) {
+		return (await this.http.get(API_KEY_BASE_PATH, { params })).data;
 	}
 	/**
-	* Get details for a specific API key.
-	* The key itself is masked.
+	* Get specific API key
+	* GET /api/v1/admin/api-keys/{id}
 	*/
 	async get(keyId) {
-		return (await this.http.get(`/api/v1/admin/api-keys/${keyId}`)).data;
+		return (await this.http.get(`${API_KEY_BASE_PATH}/${encodeURIComponent(keyId)}`)).data;
 	}
 	/**
-	* Create a new API key.
-	* The response includes the full key, which is shown only once.
+	* Create a new API key
+	* POST /api/v1/admin/api-keys
 	*/
 	async create(data) {
-		return (await this.http.post("/api/v1/admin/api-keys", data)).data;
+		const apiKey = (await this.http.post(API_KEY_BASE_PATH, data)).data;
+		if (apiKey.key && !apiKey.masked_key) apiKey.masked_key = formatMaskedKey(apiKey.key);
+		return apiKey;
 	}
 	/**
-	* Revoke an existing API key.
-	* Once revoked, the key can no longer be used.
+	* Revoke an API key
+	* DELETE /api/v1/admin/api-keys/{id}
 	*/
 	async revoke(keyId) {
-		await this.http.delete(`/api/v1/admin/api-keys/${keyId}`);
-		return { success: true };
+		return (await this.http.delete(`${API_KEY_BASE_PATH}/${encodeURIComponent(keyId)}`)).data;
 	}
 };
@@ -2392,6 +2548,7 @@ var SnackBaseClient = class {
 		this.http.addRequestInterceptor(contentTypeInterceptor);
 		this.http.addRequestInterceptor(createAuthInterceptor(() => this.authManager.token || void 0, this.config.apiKey));
 		this.http.addResponseInterceptor(errorNormalizationInterceptor);
+		this.http.addErrorInterceptor(createAuthErrorInterceptor(this.config.onAuthError));
 		this.http.addErrorInterceptor(errorInterceptor);
 	}
 	/**
@@ -2413,6 +2570,36 @@ var SnackBaseClient = class {
 		return this.authManager.isAuthenticated;
 	}
 	/**
+	* Check if current user is superadmin.
+	*/
+	get isSuperadmin() {
+		return this.authManager.isSuperadmin();
+	}
+	/**
+	* Check if current session uses API key authentication.
+	*/
+	get isApiKeySession() {
+		return this.authManager.isApiKeySession();
+	}
+	/**
+	* Check if current session uses personal token authentication.
+	*/
+	get isPersonalTokenSession() {
+		return this.authManager.isPersonalTokenSession();
+	}
+	/**
+	* Check if current session uses OAuth authentication.
+	*/
+	get isOAuthSession() {
+		return this.authManager.isOAuthSession();
+	}
+	/**
+	* Returns the current token type.
+	*/
+	get tokenType() {
+		return this.authManager.tokenType;
+	}
+	/**
 	* Access to authentication methods.
 	*/
 	get auth() {
@@ -2627,4 +2814,4 @@ var SnackBaseClient = class {
 };
 //#endregion
-export { DEFAULT_CONFIG, QueryBuilder, SnackBaseClient, getAutoDetectedStorage };
+export { ApiKeyRestrictedError, AuthenticationError, AuthorizationError, ConflictError, DEFAULT_CONFIG, EmailVerificationRequiredError, NetworkError, NotFoundError, QueryBuilder, RateLimitError, ServerError, SnackBaseClient, SnackBaseError, TimeoutError, TokenType, ValidationError, getAutoDetectedStorage };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@snackbase/sdk",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Core SDK for SnackBase",
   "main": "./dist/index.cjs",
   "module": "./dist/index.mjs",
@@ -27,6 +27,9 @@
   ],
   "author": "SnackBase Team",
   "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
   "devDependencies": {
     "@snackbase/tsconfig": "0.1.0"
   },