@stackwright-pro/auth 0.1.0

package/dist/index.js

@@ -0,0 +1,1182 @@
+'use strict';
+
+var zod = require('zod');
+var x509 = require('@peculiar/x509');
+var jose = require('jose');
+var react = require('react');
+var jsxRuntime = require('react/jsx-runtime');
+
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var jose__namespace = /*#__PURE__*/_interopNamespace(jose);
+
+// src/schemas/auth-schemas.ts
+var pkiConfigSchema = zod.z.object({
+  type: zod.z.literal("pki"),
+  profile: zod.z.enum(["dod_cac", "piv", "custom"]),
+  source: zod.z.enum(["gateway_headers", "direct_tls"]),
+  headerPrefix: zod.z.string().optional().default("x-client-cert-"),
+  verifiedHeader: zod.z.string().optional().default("x-client-cert-verified"),
+  requiredValue: zod.z.string().optional().default("SUCCESS"),
+  caChain: zod.z.string().optional(),
+  requiredOU: zod.z.array(zod.z.string()).optional(),
+  allowedIssuers: zod.z.array(zod.z.string()).optional()
+});
+var oidcConfigSchema = zod.z.object({
+  type: zod.z.literal("oidc"),
+  provider: zod.z.enum([
+    "cognito",
+    "azure_ad",
+    "authentik",
+    "keycloak",
+    "okta",
+    "auth0",
+    "custom"
+  ]),
+  discoveryUrl: zod.z.string().url(),
+  clientId: zod.z.string(),
+  clientSecret: zod.z.string(),
+  redirectUri: zod.z.string().optional(),
+  claimsMapping: zod.z.object({
+    user_id: zod.z.string().optional(),
+    email: zod.z.string().optional(),
+    name: zod.z.string().optional(),
+    roles: zod.z.string().optional()
+  }).optional(),
+  quirks: zod.z.object({
+    skipIssuerCheck: zod.z.boolean().optional(),
+    useRefreshTokenRotation: zod.z.boolean().optional()
+  }).optional()
+});
+var authConfigSchema = zod.z.discriminatedUnion("type", [
+  pkiConfigSchema,
+  oidcConfigSchema
+]);
+var componentAuthSchema = zod.z.object({
+  required_roles: zod.z.array(zod.z.string()).optional(),
+  required_permissions: zod.z.array(zod.z.string()).optional(),
+  fallback: zod.z.enum(["hide", "placeholder", "message"]).optional().default("hide"),
+  fallback_message: zod.z.string().optional()
+}).optional();
+var rbacConfigSchema = zod.z.object({
+  roles: zod.z.array(
+    zod.z.object({
+      name: zod.z.string(),
+      permissions: zod.z.array(zod.z.string()).optional()
+    })
+  ),
+  protected_routes: zod.z.array(
+    zod.z.object({
+      path: zod.z.string(),
+      roles: zod.z.array(zod.z.string())
+    })
+  ).optional(),
+  public_routes: zod.z.array(zod.z.string()).optional()
+});
+var authUserSchema = zod.z.object({
+  id: zod.z.string(),
+  email: zod.z.string().email().optional(),
+  name: zod.z.string().optional(),
+  roles: zod.z.array(zod.z.string()),
+  permissions: zod.z.array(zod.z.string()).optional(),
+  metadata: zod.z.record(zod.z.string(), zod.z.any()).optional()
+});
+var authSessionSchema = zod.z.object({
+  user: authUserSchema,
+  expiresAt: zod.z.number(),
+  issuedAt: zod.z.number(),
+  refreshToken: zod.z.string().optional()
+});
+function parseCertificate(pemOrDer) {
+  const cert = new x509.X509Certificate(pemOrDer);
+  const subjectAttrs = cert.subject.split(",").map((s) => s.trim());
+  const issuerAttrs = cert.issuer.split(",").map((s) => s.trim());
+  return {
+    subject: parseNameAttributes(subjectAttrs),
+    issuer: {
+      commonName: extractAttribute(issuerAttrs, "CN"),
+      organization: extractAttribute(issuerAttrs, "O")
+    },
+    serialNumber: cert.serialNumber,
+    notBefore: cert.notBefore,
+    notAfter: cert.notAfter,
+    isValid: Date.now() >= cert.notBefore.getTime() && Date.now() <= cert.notAfter.getTime()
+  };
+}
+function extractAttribute(attrs, key) {
+  for (const attr of attrs) {
+    const [attrKey, ...valueParts] = attr.split("=");
+    if (attrKey.trim().toUpperCase() === key.toUpperCase()) {
+      return valueParts.join("=").trim();
+    }
+  }
+  return void 0;
+}
+function extractAttributes(attrs, key) {
+  const results = [];
+  for (const attr of attrs) {
+    const [attrKey, ...valueParts] = attr.split("=");
+    if (attrKey.trim().toUpperCase() === key.toUpperCase()) {
+      results.push(valueParts.join("=").trim());
+    }
+  }
+  return results;
+}
+function parseNameAttributes(attrs) {
+  return {
+    commonName: extractAttribute(attrs, "CN"),
+    email: extractAttribute(attrs, "E") || extractAttribute(attrs, "emailAddress"),
+    organizationalUnit: extractAttributes(attrs, "OU"),
+    organization: extractAttribute(attrs, "O"),
+    country: extractAttribute(attrs, "C")
+  };
+}
+function extractEDIPI(cert) {
+  const EDIPI_OID = "2.16.840.1.101.2.1.11.42";
+  for (const ext of cert.extensions) {
+    if (ext.type === EDIPI_OID) {
+      const value = ext.value;
+      return Buffer.from(value).toString("hex");
+    }
+  }
+  return void 0;
+}
+function validateDoDCAC(parsed) {
+  const hasDoDOU = parsed.subject.organizationalUnit?.some(
+    (ou) => ou.toUpperCase().includes("DOD") || ou === "DoD"
+  );
+  if (!parsed.isValid) {
+    return false;
+  }
+  if (!hasDoDOU) {
+    return false;
+  }
+  return true;
+}
+function parseCertFromHeaders(headers, prefix = "x-client-cert-") {
+  const dnHeader = headers[`${prefix}dn`] || headers[`${prefix}subject-dn`];
+  const serialHeader = headers[`${prefix}serial`];
+  const verifiedHeader = headers[`${prefix}verified`];
+  if (!dnHeader) {
+    return null;
+  }
+  const subject = parseDN(dnHeader);
+  return {
+    subject,
+    issuer: {},
+    // Not available from headers
+    serialNumber: serialHeader || "unknown",
+    notBefore: /* @__PURE__ */ new Date(0),
+    // Not available from headers
+    notAfter: new Date(Date.now() + 365 * 24 * 60 * 60 * 1e3),
+    // Assume valid for a year
+    isValid: verifiedHeader?.toUpperCase() === "SUCCESS"
+  };
+}
+function parseDN(dn) {
+  const parts = dn.split(",").map((p) => p.trim());
+  const result = {
+    organizationalUnit: []
+  };
+  for (const part of parts) {
+    const [key, ...valueParts] = part.split("=");
+    const value = valueParts.join("=");
+    switch (key.toUpperCase()) {
+      case "CN":
+        result.commonName = value;
+        break;
+      case "E":
+      case "EMAILADDRESS":
+        result.email = value;
+        break;
+      case "OU":
+        result.organizationalUnit?.push(value);
+        break;
+      case "O":
+        result.organization = value;
+        break;
+      case "C":
+        result.country = value;
+        break;
+    }
+  }
+  return result;
+}
+
+// src/providers/pki-provider.ts
+var PKIProvider = class {
+  constructor(config) {
+    this.config = config;
+  }
+  async authenticate(context) {
+    let parsed = null;
+    if (this.config.source === "gateway_headers") {
+      if (!context.headers) {
+        return null;
+      }
+      parsed = parseCertFromHeaders(context.headers, this.config.headerPrefix);
+    } else {
+      const certData = context.headers?.["x-client-cert"];
+      if (!certData) {
+        return null;
+      }
+      parsed = parseCertificate(certData);
+    }
+    if (!parsed) {
+      return null;
+    }
+    if (!parsed.isValid) {
+      return null;
+    }
+    if (this.config.profile === "dod_cac") {
+      if (!validateDoDCAC(parsed)) {
+        return null;
+      }
+    }
+    if (this.config.requiredOU) {
+      const hasRequiredOU = this.config.requiredOU.some(
+        (required) => parsed.subject.organizationalUnit?.some((ou) => ou.includes(required))
+      );
+      if (!hasRequiredOU) {
+        return null;
+      }
+    }
+    if (this.config.allowedIssuers) {
+      const issuerCN = parsed.issuer.commonName;
+      if (!issuerCN || !this.config.allowedIssuers.includes(issuerCN)) {
+        return null;
+      }
+    }
+    const user = {
+      id: parsed.serialNumber,
+      // Use serial as unique ID
+      name: parsed.subject.commonName,
+      email: parsed.subject.email,
+      roles: this.extractRolesFromCertificate(parsed),
+      metadata: {
+        organizationalUnit: parsed.subject.organizationalUnit,
+        organization: parsed.subject.organization,
+        country: parsed.subject.country,
+        issuer: parsed.issuer.commonName,
+        notBefore: parsed.notBefore.toISOString(),
+        notAfter: parsed.notAfter.toISOString()
+      }
+    };
+    return user;
+  }
+  async validate(session) {
+    if (Date.now() > session.expiresAt) {
+      return false;
+    }
+    return true;
+  }
+  /**
+   * Extract roles from certificate based on organizational units
+   * Can be customized per deployment via subclassing
+   */
+  extractRolesFromCertificate(parsed) {
+    const roles = [];
+    const ous = parsed.subject.organizationalUnit || [];
+    if (ous.some((ou) => ou.includes("ADMIN") || ou.includes("ADMINISTRATOR"))) {
+      roles.push("ADMIN");
+    } else if (ous.some((ou) => ou.includes("ANALYST"))) {
+      roles.push("ANALYST");
+    } else {
+      roles.push("VIEWER");
+    }
+    return roles;
+  }
+};
+
+// src/oidc/discovery.ts
+async function discoverOIDC(discoveryUrl) {
+  const response = await fetch(discoveryUrl);
+  if (!response.ok) {
+    throw new Error(`OIDC discovery failed: ${response.statusText}`);
+  }
+  const metadata = await response.json();
+  if (!metadata.issuer || !metadata.authorization_endpoint || !metadata.token_endpoint || !metadata.jwks_uri) {
+    throw new Error("Invalid OIDC metadata: missing required fields");
+  }
+  return metadata;
+}
+function buildAuthorizationUrl(metadata, clientId, redirectUri, state, scopes = ["openid", "profile", "email"]) {
+  const url = new URL(metadata.authorization_endpoint);
+  url.searchParams.set("client_id", clientId);
+  url.searchParams.set("redirect_uri", redirectUri);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("scope", scopes.join(" "));
+  if (state) {
+    url.searchParams.set("state", state);
+  }
+  return url.toString();
+}
+async function exchangeCodeForTokens(metadata, code, clientId, clientSecret, redirectUri) {
+  const response = await fetch(metadata.token_endpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      "Authorization": `Basic ${Buffer.from(`${clientId}:${clientSecret}`).toString("base64")}`
+    },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: redirectUri
+    })
+  });
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(`Token exchange failed: ${error}`);
+  }
+  return await response.json();
+}
+async function refreshAccessToken(metadata, refreshToken, clientId, clientSecret) {
+  const response = await fetch(metadata.token_endpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      "Authorization": `Basic ${Buffer.from(`${clientId}:${clientSecret}`).toString("base64")}`
+    },
+    body: new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken
+    })
+  });
+  if (!response.ok) {
+    throw new Error("Token refresh failed");
+  }
+  return await response.json();
+}
+async function validateIdToken(idToken, jwksUri, issuer, clientId, skipIssuerCheck = false) {
+  const JWKS = jose__namespace.createRemoteJWKSet(new URL(jwksUri));
+  const { payload } = await jose__namespace.jwtVerify(idToken, JWKS, {
+    issuer: skipIssuerCheck ? void 0 : issuer,
+    audience: clientId
+  });
+  return payload;
+}
+
+// src/oidc/providers/keycloak-adapter.ts
+var KeycloakAdapter = class {
+  /**
+   * Normalize Keycloak issuer (remove /auth prefix if present)
+   * 
+   * Keycloak's issuer URLs changed between versions:
+   * - Pre-17: https://keycloak.example.com/auth/realms/myrealm
+   * - Post-17: https://keycloak.example.com/realms/myrealm
+   * 
+   * This normalizes to the post-17 format.
+   * 
+   * @param issuer - Issuer from token or metadata
+   * @returns Normalized issuer
+   */
+  static normalizeIssuer(issuer) {
+    return issuer.replace("/auth/realms/", "/realms/");
+  }
+  /**
+   * Map Keycloak-specific claims to standard format
+   * 
+   * Keycloak stores roles and groups in non-standard locations:
+   * - Roles: realm_access.roles (not standard)
+   * - Groups: groups array (sometimes, if configured)
+   * - Username: preferred_username (not always 'name')
+   * 
+   * @param tokenPayload - Raw JWT payload from Keycloak
+   * @returns Normalized claims matching AuthUser interface
+   */
+  static mapClaims(tokenPayload) {
+    return {
+      user_id: tokenPayload.sub,
+      email: tokenPayload.email,
+      name: tokenPayload.name || tokenPayload.preferred_username,
+      roles: tokenPayload.realm_access?.roles || [],
+      groups: tokenPayload.groups || [],
+      // Keep original payload for advanced use cases
+      ...tokenPayload
+    };
+  }
+  /**
+   * Keycloak refresh tokens should be refreshed earlier than spec suggests
+   * 
+   * Keycloak's refresh token rotation is buggy and sometimes fails if you
+   * wait too long. Refresh aggressively when less than 10 minutes remain.
+   * 
+   * @param expiresIn - Seconds until token expires
+   * @returns true if token should be refreshed now
+   */
+  static shouldRefreshToken(expiresIn) {
+    return expiresIn < 600;
+  }
+};
+
+// src/providers/oidc-provider.ts
+var OIDCProvider = class {
+  constructor(config) {
+    this.config = config;
+  }
+  metadata = null;
+  /**
+   * Initialize provider by discovering OIDC configuration
+   * 
+   * Call this during app startup to pre-fetch OIDC metadata.
+   * If not called, metadata will be lazily loaded on first use.
+   */
+  async initialize() {
+    this.metadata = await discoverOIDC(this.config.discoveryUrl);
+  }
+  /**
+   * Get metadata (lazy load if not initialized)
+   * 
+   * @returns OIDC metadata
+   */
+  async getMetadata() {
+    if (!this.metadata) {
+      await this.initialize();
+    }
+    return this.metadata;
+  }
+  /**
+   * Authenticate user by exchanging authorization code for tokens
+   * 
+   * This is called after the user is redirected back from the OIDC provider
+   * with an authorization code in the query parameters.
+   * 
+   * @param context - Auth context with query params containing authorization code
+   * @returns Authenticated user or null if no code present
+   * @throws Error if token exchange or validation fails
+   */
+  async authenticate(context) {
+    const code = context.query?.code;
+    const redirectUri = this.config.redirectUri || "/api/auth/callback";
+    if (!code) {
+      return null;
+    }
+    const metadata = await this.getMetadata();
+    const tokens = await exchangeCodeForTokens(
+      metadata,
+      code,
+      this.config.clientId,
+      this.config.clientSecret,
+      redirectUri
+    );
+    const issuer = this.config.quirks?.skipIssuerCheck ? void 0 : this.config.provider === "keycloak" ? KeycloakAdapter.normalizeIssuer(metadata.issuer) : metadata.issuer;
+    const claims = await validateIdToken(
+      tokens.id_token,
+      metadata.jwks_uri,
+      issuer || metadata.issuer,
+      this.config.clientId,
+      this.config.quirks?.skipIssuerCheck
+    );
+    const mappedClaims = this.config.provider === "keycloak" ? KeycloakAdapter.mapClaims(claims) : claims;
+    const user = {
+      id: this.getClaimValue(mappedClaims, this.config.claimsMapping?.user_id, "sub"),
+      email: this.getClaimValue(mappedClaims, this.config.claimsMapping?.email, "email"),
+      name: this.getClaimValue(mappedClaims, this.config.claimsMapping?.name, "name"),
+      roles: this.extractRoles(mappedClaims),
+      metadata: {
+        provider: this.config.provider,
+        originalClaims: mappedClaims
+      }
+    };
+    return user;
+  }
+  /**
+   * Validate session (check if token is still valid)
+   * 
+   * Simple time-based validation. For more security, you could:
+   * - Call the userinfo endpoint
+   * - Verify token hasn't been revoked
+   * - Check against a session store
+   * 
+   * @param session - Session to validate
+   * @returns true if session is still valid
+   */
+  async validate(session) {
+    if (Date.now() > session.expiresAt) {
+      return false;
+    }
+    return true;
+  }
+  /**
+   * Refresh session using refresh token
+   * 
+   * When the access token expires, use the refresh token to get new tokens
+   * without requiring the user to re-authenticate.
+   * 
+   * @param session - Session with refresh token
+   * @returns Updated session with new tokens, or null if refresh failed
+   */
+  async refresh(session) {
+    if (!session.refreshToken) {
+      return null;
+    }
+    const metadata = await this.getMetadata();
+    try {
+      const tokens = await refreshAccessToken(
+        metadata,
+        session.refreshToken,
+        this.config.clientId,
+        this.config.clientSecret
+      );
+      return {
+        ...session,
+        expiresAt: Date.now() + tokens.expires_in * 1e3,
+        refreshToken: tokens.refresh_token || session.refreshToken
+      };
+    } catch (error) {
+      return null;
+    }
+  }
+  /**
+   * Get authorization URL for initiating OIDC login
+   * 
+   * Redirect users to this URL to start the authentication flow.
+   * 
+   * @param redirectUri - Where to redirect after authentication
+   * @param state - CSRF protection token (recommended)
+   * @returns Authorization URL
+   */
+  async getAuthorizationUrl(redirectUri, state) {
+    const metadata = await this.getMetadata();
+    return buildAuthorizationUrl(metadata, this.config.clientId, redirectUri, state);
+  }
+  /**
+   * Extract claim value with fallback
+   * 
+   * Tries custom mapped key first, then falls back to default key.
+   * 
+   * @param claims - JWT claims
+   * @param mappedKey - Custom mapped key from config
+   * @param defaultKey - Default OIDC key
+   * @returns Claim value or undefined
+   */
+  getClaimValue(claims, mappedKey, defaultKey) {
+    if (mappedKey && claims[mappedKey]) {
+      return claims[mappedKey];
+    }
+    if (defaultKey && claims[defaultKey]) {
+      return claims[defaultKey];
+    }
+    return void 0;
+  }
+  /**
+   * Extract roles from claims (provider-specific logic)
+   * 
+   * Different OIDC providers store roles in different places:
+   * - Standard: 'roles' claim
+   * - Keycloak: realm_access.roles
+   * - Cognito: cognito:groups
+   * - Azure AD: roles claim
+   * 
+   * @param claims - JWT claims
+   * @returns Array of role strings
+   */
+  extractRoles(claims) {
+    if (this.config.claimsMapping?.roles) {
+      const rolesValue = claims[this.config.claimsMapping.roles];
+      if (Array.isArray(rolesValue)) {
+        return rolesValue;
+      }
+      if (typeof rolesValue === "string") {
+        return [rolesValue];
+      }
+    }
+    if (Array.isArray(claims.roles)) {
+      return claims.roles;
+    }
+    if (claims.realm_access?.roles) {
+      return claims.realm_access.roles;
+    }
+    if (claims["cognito:groups"]) {
+      return claims["cognito:groups"];
+    }
+    return [];
+  }
+};
+var SessionManager = class {
+  secret;
+  sessionDuration;
+  algorithm;
+  issuer;
+  audience;
+  constructor(config) {
+    if (config.secret.length < 32) {
+      throw new Error("Session secret must be at least 32 characters");
+    }
+    this.secret = new TextEncoder().encode(config.secret);
+    this.sessionDuration = config.sessionDuration || 900;
+    this.algorithm = config.algorithm || "HS256";
+    this.issuer = config.issuer;
+    this.audience = config.audience;
+  }
+  /**
+   * Create a new session for authenticated user
+   */
+  async createSession(user, refreshToken) {
+    const now = Date.now();
+    const expiresAt = now + this.sessionDuration * 1e3;
+    const session = {
+      user,
+      issuedAt: now,
+      expiresAt,
+      refreshToken
+    };
+    return session;
+  }
+  /**
+   * Sign session into a JWT
+   */
+  async signSession(session) {
+    const jwt = await new jose__namespace.SignJWT({
+      user: session.user,
+      refreshToken: session.refreshToken
+    }).setProtectedHeader({ alg: this.algorithm }).setIssuedAt(session.issuedAt / 1e3).setExpirationTime(session.expiresAt / 1e3).setIssuer(this.issuer || "stackwright-auth").setAudience(this.audience || "stackwright-app").sign(this.secret);
+    return jwt;
+  }
+  /**
+   * Verify and decode session JWT
+   */
+  async verifySession(jwt) {
+    try {
+      const { payload } = await jose__namespace.jwtVerify(jwt, this.secret, {
+        issuer: this.issuer || "stackwright-auth",
+        audience: this.audience || "stackwright-app"
+      });
+      const session = {
+        user: payload.user,
+        issuedAt: (payload.iat || 0) * 1e3,
+        // Convert back to milliseconds
+        expiresAt: (payload.exp || 0) * 1e3,
+        refreshToken: payload.refreshToken
+      };
+      return session;
+    } catch (error) {
+      return null;
+    }
+  }
+  /**
+   * Check if session is expired
+   */
+  isExpired(session) {
+    return Date.now() > session.expiresAt;
+  }
+  /**
+   * Check if session should be refreshed (within 5 minutes of expiry)
+   */
+  shouldRefresh(session) {
+    const timeUntilExpiry = session.expiresAt - Date.now();
+    const REFRESH_THRESHOLD = 5 * 60 * 1e3;
+    return timeUntilExpiry < REFRESH_THRESHOLD && timeUntilExpiry > 0;
+  }
+  /**
+   * Refresh session (extend expiration)
+   */
+  async refreshSession(session) {
+    return {
+      ...session,
+      issuedAt: Date.now(),
+      expiresAt: Date.now() + this.sessionDuration * 1e3
+    };
+  }
+  /**
+   * Serialize session to string (for cookies/localStorage)
+   */
+  async serialize(session) {
+    return this.signSession(session);
+  }
+  /**
+   * Deserialize session from string
+   */
+  async deserialize(serialized) {
+    return this.verifySession(serialized);
+  }
+};
+
+// src/session/cookie-helpers.ts
+function serializeCookie(name, value, options = {}) {
+  const {
+    domain,
+    path = "/",
+    maxAge,
+    httpOnly = true,
+    secure = process.env.NODE_ENV === "production",
+    sameSite = "lax"
+  } = options;
+  const parts = [
+    `${name}=${encodeURIComponent(value)}`
+  ];
+  if (domain) {
+    parts.push(`Domain=${domain}`);
+  }
+  parts.push(`Path=${path}`);
+  if (maxAge !== void 0) {
+    parts.push(`Max-Age=${maxAge}`);
+  }
+  if (httpOnly) {
+    parts.push("HttpOnly");
+  }
+  if (secure) {
+    parts.push("Secure");
+  }
+  if (sameSite) {
+    parts.push(`SameSite=${sameSite.charAt(0).toUpperCase() + sameSite.slice(1)}`);
+  }
+  return parts.join("; ");
+}
+function parseCookies(cookieHeader) {
+  if (!cookieHeader) {
+    return {};
+  }
+  const cookies = {};
+  for (const cookie of cookieHeader.split(";")) {
+    const [key, ...valueParts] = cookie.trim().split("=");
+    if (key) {
+      cookies[key] = decodeURIComponent(valueParts.join("="));
+    }
+  }
+  return cookies;
+}
+function clearCookie(name, options = {}) {
+  return serializeCookie(name, "", {
+    ...options,
+    maxAge: 0
+  });
+}
+
+// src/rbac/rbac-engine.ts
+var RBACEngine = class {
+  config;
+  rolePermissions;
+  constructor(config) {
+    this.config = config;
+    this.rolePermissions = this.buildRolePermissionMap();
+  }
+  /**
+   * Build internal map of role → permissions for fast lookups
+   */
+  buildRolePermissionMap() {
+    const map = /* @__PURE__ */ new Map();
+    for (const role of this.config.roles) {
+      map.set(role.name, new Set(role.permissions || []));
+    }
+    return map;
+  }
+  /**
+   * Check if user has a specific role
+   */
+  hasRole(user, role) {
+    return user.roles.includes(role);
+  }
+  /**
+   * Check if user has any of the specified roles
+   */
+  hasAnyRole(user, roles) {
+    return roles.some((role) => this.hasRole(user, role));
+  }
+  /**
+   * Check if user has all of the specified roles
+   */
+  hasAllRoles(user, roles) {
+    return roles.every((role) => this.hasRole(user, role));
+  }
+  /**
+   * Check if user has a specific permission
+   * Permissions are checked both:
+   * 1. Directly in user.permissions array
+   * 2. Through role-based permissions from config
+   */
+  hasPermission(user, permission) {
+    if (user.permissions?.includes(permission)) {
+      return true;
+    }
+    for (const role of user.roles) {
+      const permissions = this.rolePermissions.get(role);
+      if (permissions?.has(permission)) {
+        return true;
+      }
+      if (permissions) {
+        for (const p of permissions) {
+          if (p.endsWith(":*")) {
+            const prefix = p.slice(0, -1);
+            if (permission.startsWith(prefix)) {
+              return true;
+            }
+          }
+        }
+      }
+    }
+    return false;
+  }
+  /**
+   * Check if user has any of the specified permissions
+   */
+  hasAnyPermission(user, permissions) {
+    return permissions.some((permission) => this.hasPermission(user, permission));
+  }
+  /**
+   * Check if user has all of the specified permissions
+   */
+  hasAllPermissions(user, permissions) {
+    return permissions.every((permission) => this.hasPermission(user, permission));
+  }
+  /**
+   * Check if route is public (no auth required)
+   */
+  isPublicRoute(path) {
+    if (!this.config.public_routes) {
+      return false;
+    }
+    return this.config.public_routes.some((publicPath) => {
+      return this.matchPath(path, publicPath);
+    });
+  }
+  /**
+   * Check if user can access a route based on protected_routes config
+   */
+  canAccessRoute(user, path) {
+    if (this.isPublicRoute(path)) {
+      return true;
+    }
+    if (!user) {
+      return false;
+    }
+    if (!this.config.protected_routes || this.config.protected_routes.length === 0) {
+      return true;
+    }
+    const matchingRoute = this.config.protected_routes.find((route) => {
+      return this.matchPath(path, route.path);
+    });
+    if (!matchingRoute) {
+      return true;
+    }
+    return this.hasAnyRole(user, matchingRoute.roles);
+  }
+  /**
+   * Check if user can access a component based on component auth config
+   */
+  canAccessComponent(user, authConfig) {
+    if (!authConfig) {
+      return true;
+    }
+    if (!user) {
+      return false;
+    }
+    if (authConfig.required_roles && authConfig.required_roles.length > 0) {
+      if (!this.hasAnyRole(user, authConfig.required_roles)) {
+        return false;
+      }
+    }
+    if (authConfig.required_permissions && authConfig.required_permissions.length > 0) {
+      if (!this.hasAllPermissions(user, authConfig.required_permissions)) {
+        return false;
+      }
+    }
+    return true;
+  }
+  // Match a path against a pattern with wildcard support
+  matchPath(path, pattern) {
+    if (path === pattern) {
+      return true;
+    }
+    if (!pattern.includes("*")) {
+      return false;
+    }
+    const regexPattern = pattern.replace(/\*/g, ".*").replace(/\//g, "\\/");
+    const regex = new RegExp(`^${regexPattern}$`);
+    return regex.test(path);
+  }
+};
+var AuthContext = react.createContext(null);
+function useAuth() {
+  const context = react.useContext(AuthContext);
+  if (!context) {
+    throw new Error("useAuth must be used within AuthProvider");
+  }
+  return context;
+}
+function useRequireAuth() {
+  const auth = useAuth();
+  if (!auth.isAuthenticated) {
+    console.warn("useRequireAuth: User is not authenticated");
+    return null;
+  }
+  return auth;
+}
+function AuthProvider({
+  user,
+  session,
+  rbacConfig,
+  isLoading = false,
+  children
+}) {
+  const rbac = react.useMemo(() => new RBACEngine(rbacConfig), [rbacConfig]);
+  const value = react.useMemo(() => ({
+    user,
+    session,
+    isAuthenticated: user !== null,
+    isLoading,
+    hasRole: (role) => {
+      if (!user) return false;
+      return rbac.hasRole(user, role);
+    },
+    hasPermission: (permission) => {
+      if (!user) return false;
+      return rbac.hasPermission(user, permission);
+    },
+    hasAnyRole: (roles) => {
+      if (!user) return false;
+      return rbac.hasAnyRole(user, roles);
+    },
+    hasAllPermissions: (permissions) => {
+      if (!user) return false;
+      return rbac.hasAllPermissions(user, permissions);
+    }
+  }), [user, session, isLoading, rbac]);
+  return /* @__PURE__ */ jsxRuntime.jsx(AuthContext.Provider, { value, children });
+}
+
+// src/profiles/dod-cac.ts
+var DOD_CAC_PROFILE = {
+  profile: "dod_cac",
+  source: "gateway_headers",
+  headerPrefix: "x-client-cert-",
+  verifiedHeader: "x-client-cert-verified",
+  requiredValue: "SUCCESS",
+  requiredOU: ["DOD", "DoD", "U.S. Government"],
+  // DoD Root CAs (add current list)
+  // These are sample CA names - verify against current DoD PKI infrastructure
+  allowedIssuers: [
+    // DoD Interoperability Root CA 2
+    "CN=DoD Interoperability Root CA 2",
+    // DoD Root CA 3-6 (current generation)
+    "CN=DoD Root CA 3",
+    "CN=DoD Root CA 4",
+    "CN=DoD Root CA 5",
+    "CN=DoD Root CA 6",
+    // DoD ID CAs (email/PIV auth)
+    "CN=DOD ID CA-59",
+    "CN=DOD ID CA-60",
+    "CN=DOD ID CA-61",
+    "CN=DOD ID CA-62",
+    "CN=DOD ID CA-63",
+    "CN=DOD ID CA-64",
+    "CN=DOD ID CA-65",
+    "CN=DOD ID CA-66",
+    "CN=DOD ID CA-67",
+    "CN=DOD ID CA-68",
+    "CN=DOD ID CA-69",
+    "CN=DOD ID CA-70",
+    // DoD SW CAs (software/device auth)
+    "CN=DOD SW CA-59",
+    "CN=DOD SW CA-60",
+    "CN=DOD SW CA-61",
+    "CN=DOD SW CA-62",
+    "CN=DOD SW CA-63",
+    "CN=DOD SW CA-64",
+    "CN=DOD SW CA-65",
+    "CN=DOD SW CA-66",
+    // Legacy DoD Email CAs (being phased out but may still be in use)
+    "CN=DOD EMAIL CA-59",
+    "CN=DOD EMAIL CA-60",
+    "CN=DOD EMAIL CA-61",
+    "CN=DOD EMAIL CA-62",
+    "CN=DOD EMAIL CA-63",
+    "CN=DOD EMAIL CA-64",
+    "CN=DOD EMAIL CA-65",
+    "CN=DOD EMAIL CA-66"
+  ]
+};
+function createDoDCACConfig(overrides) {
+  return {
+    type: "pki",
+    ...DOD_CAC_PROFILE,
+    ...overrides
+  };
+}
+function createDoDCACDevConfig() {
+  return {
+    type: "pki",
+    profile: "dod_cac",
+    source: "gateway_headers",
+    headerPrefix: "x-client-cert-",
+    verifiedHeader: "x-client-cert-verified",
+    requiredValue: "SUCCESS",
+    // Only require 'DOD' in OU for dev
+    requiredOU: ["DOD"],
+    // Don't restrict issuers in dev mode
+    allowedIssuers: void 0
+  };
+}
+var FallbackComponents = {
+  /**
+   * Hide component (render nothing)
+   */
+  hide: () => null,
+  /**
+   * Show placeholder message
+   */
+  placeholder: ({ className }) => /* @__PURE__ */ jsxRuntime.jsx("div", { className: className || "auth-placeholder", style: {
+    padding: "1rem",
+    border: "1px dashed #ccc",
+    borderRadius: "4px",
+    color: "#666",
+    fontStyle: "italic",
+    textAlign: "center"
+  }, children: "Content requires authorization" }),
+  /**
+   * Show custom message
+   */
+  message: ({ message, className }) => /* @__PURE__ */ jsxRuntime.jsx("div", { className: className || "auth-message", style: {
+    padding: "1rem",
+    border: "1px solid #f0ad4e",
+    borderRadius: "4px",
+    backgroundColor: "#fcf8e3",
+    color: "#8a6d3b"
+  }, children: message || "Unauthorized" })
+};
+function withAuth(Component, authConfig) {
+  if (!authConfig) {
+    return Component;
+  }
+  const WrappedComponent = (props) => {
+    const auth = useAuth();
+    if (authConfig.required_roles && authConfig.required_roles.length > 0) {
+      if (!auth.hasAnyRole(authConfig.required_roles)) {
+        return renderFallback(authConfig);
+      }
+    }
+    if (authConfig.required_permissions && authConfig.required_permissions.length > 0) {
+      if (!auth.hasAllPermissions(authConfig.required_permissions)) {
+        return renderFallback(authConfig);
+      }
+    }
+    return /* @__PURE__ */ jsxRuntime.jsx(Component, { ...props });
+  };
+  const componentName = Component.displayName || Component.name || "Component";
+  WrappedComponent.displayName = `withAuth(${componentName})`;
+  return WrappedComponent;
+}
+function renderFallback(authConfig) {
+  const fallbackType = authConfig.fallback || "hide";
+  switch (fallbackType) {
+    case "hide":
+      return FallbackComponents.hide();
+    case "placeholder":
+      return FallbackComponents.placeholder({});
+    case "message":
+      return FallbackComponents.message({
+        message: authConfig.fallback_message
+      });
+    default:
+      return null;
+  }
+}
+function withAuthFallback(Component, authConfig, FallbackComponent) {
+  const WrappedComponent = (props) => {
+    const auth = useAuth();
+    const isAuthorized = checkAuthorization(auth, authConfig);
+    if (!isAuthorized) {
+      return /* @__PURE__ */ jsxRuntime.jsx(FallbackComponent, {});
+    }
+    return /* @__PURE__ */ jsxRuntime.jsx(Component, { ...props });
+  };
+  const componentName = Component.displayName || Component.name || "Component";
+  WrappedComponent.displayName = `withAuthFallback(${componentName})`;
+  return WrappedComponent;
+}
+function checkAuthorization(auth, authConfig) {
+  if (authConfig.required_roles && authConfig.required_roles.length > 0) {
+    if (!auth.hasAnyRole(authConfig.required_roles)) {
+      return false;
+    }
+  }
+  if (authConfig.required_permissions && authConfig.required_permissions.length > 0) {
+    if (!auth.hasAllPermissions(authConfig.required_permissions)) {
+      return false;
+    }
+  }
+  return true;
+}
+
+// src/registration.ts
+var authDecoratorRegistry = {
+  decorator: null
+};
+function registerAuthDecorator() {
+  authDecoratorRegistry.decorator = withAuth;
+  if (typeof window !== "undefined" && window.__STACKWRIGHT_DEBUG__) {
+    console.log("\u{1F510} Auth decorator registered");
+  }
+}
+function getAuthDecorator() {
+  return authDecoratorRegistry.decorator;
+}
+function maybeWrapWithAuth(Component, authConfig) {
+  const decorator = getAuthDecorator();
+  if (!decorator || !authConfig) {
+    return Component;
+  }
+  return decorator(Component, authConfig);
+}
+function hasAuthConfig(item) {
+  if (!item || typeof item !== "object") {
+    return false;
+  }
+  return "auth" in item;
+}
+
+exports.AuthContext = AuthContext;
+exports.AuthProvider = AuthProvider;
+exports.DOD_CAC_PROFILE = DOD_CAC_PROFILE;
+exports.KeycloakAdapter = KeycloakAdapter;
+exports.OIDCProvider = OIDCProvider;
+exports.PKIProvider = PKIProvider;
+exports.RBACEngine = RBACEngine;
+exports.SessionManager = SessionManager;
+exports.authConfigSchema = authConfigSchema;
+exports.authSessionSchema = authSessionSchema;
+exports.authUserSchema = authUserSchema;
+exports.buildAuthorizationUrl = buildAuthorizationUrl;
+exports.clearCookie = clearCookie;
+exports.componentAuthSchema = componentAuthSchema;
+exports.createDoDCACConfig = createDoDCACConfig;
+exports.createDoDCACDevConfig = createDoDCACDevConfig;
+exports.discoverOIDC = discoverOIDC;
+exports.exchangeCodeForTokens = exchangeCodeForTokens;
+exports.extractEDIPI = extractEDIPI;
+exports.getAuthDecorator = getAuthDecorator;
+exports.hasAuthConfig = hasAuthConfig;
+exports.maybeWrapWithAuth = maybeWrapWithAuth;
+exports.oidcConfigSchema = oidcConfigSchema;
+exports.parseCertFromHeaders = parseCertFromHeaders;
+exports.parseCertificate = parseCertificate;
+exports.parseCookies = parseCookies;
+exports.pkiConfigSchema = pkiConfigSchema;
+exports.rbacConfigSchema = rbacConfigSchema;
+exports.refreshAccessToken = refreshAccessToken;
+exports.registerAuthDecorator = registerAuthDecorator;
+exports.serializeCookie = serializeCookie;
+exports.useAuth = useAuth;
+exports.useRequireAuth = useRequireAuth;
+exports.validateDoDCAC = validateDoDCAC;
+exports.validateIdToken = validateIdToken;
+exports.withAuth = withAuth;
+exports.withAuthFallback = withAuthFallback;
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map