@startsimpli/auth 0.1.0

package/src/client/functions.ts

@@ -0,0 +1,424 @@
+/**
+ * Functional auth API for Django backend
+ *
+ * Stateless functions for authentication flows: sign in, register, OAuth, token refresh, etc.
+ * Uses fetch (browser/Node) and getCsrfToken from shared utils.
+ * No Next.js dependency.
+ */
+
+import { getCsrfToken } from '../utils/cookies';
+
+// --- Types ---
+
+export interface AuthUser {
+  id: string;
+  email: string;
+  name?: string | null;
+  firstName?: string | null;
+  lastName?: string | null;
+  groups?: string[];
+  permissions?: string[];
+  isActive?: boolean;
+  isEmailVerified?: boolean;
+}
+
+// --- Endpoint paths (Django backend defaults) ---
+
+const API_BASE = '/api/v1';
+
+const AUTH_PATHS = {
+  TOKEN: `${API_BASE}/auth/token/`,
+  TOKEN_REFRESH: `${API_BASE}/auth/token/refresh/`,
+  REGISTER: `${API_BASE}/auth/register/`,
+  LOGOUT: `${API_BASE}/auth/logout/`,
+  FORGOT_PASSWORD: `${API_BASE}/auth/forgot-password/`,
+  RESET_PASSWORD: `${API_BASE}/auth/reset-password/`,
+  VERIFY_EMAIL: `${API_BASE}/auth/verify-email/`,
+  RESEND_VERIFICATION: `${API_BASE}/auth/resend-verification/`,
+  OAUTH_GOOGLE_INITIATE: `${API_BASE}/auth/oauth/google/initiate/`,
+  OAUTH_GOOGLE_CALLBACK: `${API_BASE}/auth/oauth/google/callback/`,
+  ME: `${API_BASE}/auth/me/`,
+} as const;
+
+// --- Base URL resolution ---
+
+const AUTH_BASE_URL =
+  (typeof process !== 'undefined' &&
+    (process.env.NEXT_PUBLIC_API_URL || process.env.NEXT_PUBLIC_API_BASE_URL)) ||
+  '';
+const AUTH_BASE_IS_ABSOLUTE = /^https?:\/\//i.test(AUTH_BASE_URL);
+
+function isAbsoluteUrl(url: string) {
+  return /^https?:\/\//i.test(url);
+}
+
+export function resolveAuthUrl(path: string): string {
+  if (isAbsoluteUrl(path)) return path;
+
+  const normalized = path.startsWith('/') ? path : `/${path}`;
+  if (AUTH_BASE_IS_ABSOLUTE) {
+    return new URL(normalized, AUTH_BASE_URL).toString();
+  }
+  if (normalized.startsWith('/api/')) return normalized;
+  if (!AUTH_BASE_URL) return normalized;
+
+  if (AUTH_BASE_URL.endsWith('/') && normalized.startsWith('/')) {
+    return `${AUTH_BASE_URL.slice(0, -1)}${normalized}`;
+  }
+
+  return `${AUTH_BASE_URL}${normalized}`;
+}
+
+// --- In-memory token store ---
+
+let accessToken: string | null = null;
+
+export function getAccessToken(): string | null {
+  return accessToken;
+}
+
+export function setAccessToken(token: string | null): void {
+  accessToken = token;
+}
+
+// --- Internal helpers ---
+
+function normalizeUser(raw: unknown): AuthUser | null {
+  if (!raw || typeof raw !== 'object') return null;
+  const obj = raw as Record<string, unknown>;
+  const payload = (obj.user && typeof obj.user === 'object' ? obj.user : obj) as Record<string, unknown>;
+  if (!payload?.id || !payload?.email) return null;
+
+  const firstName = (payload.first_name ?? payload.firstName ?? null) as string | null;
+  const lastName = (payload.last_name ?? payload.lastName ?? null) as string | null;
+  const name =
+    (payload.name as string | null) ??
+    ([firstName, lastName].filter(Boolean).join(' ') || null);
+
+  return {
+    id: payload.id as string,
+    email: payload.email as string,
+    name,
+    firstName,
+    lastName,
+    groups: Array.isArray(payload.groups) ? (payload.groups as string[]) : [],
+    permissions: Array.isArray(payload.permissions) ? (payload.permissions as string[]) : [],
+    isActive: (payload.isActive ?? payload.is_active) as boolean | undefined,
+    isEmailVerified: (payload.isEmailVerified ?? payload.is_email_verified) as boolean | undefined,
+  };
+}
+
+function parseAuthResponse(data: unknown): { access?: string; user?: AuthUser } {
+  if (!data || typeof data !== 'object') return {};
+  const obj = data as Record<string, unknown>;
+  const payload = (obj.data && typeof obj.data === 'object' ? obj.data : obj) as Record<string, unknown>;
+  const access = (payload.access || payload.access_token || payload.token) as string | undefined;
+  const userRaw = payload.user || payload.me || payload.profile || payload;
+  const user = normalizeUser(userRaw);
+  return { access, user: user ?? undefined };
+}
+
+// --- Auth functions ---
+
+export async function signInWithCredentials(email: string, password: string) {
+  const response = await fetch(resolveAuthUrl(AUTH_PATHS.TOKEN), {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    credentials: 'include',
+    body: JSON.stringify({ email, password }),
+  });
+
+  const data = await response.json().catch(() => ({}));
+
+  if (!response.ok) {
+    const d = data as Record<string, unknown>;
+    if (d?.error === 'ACCOUNT_LOCKED' && d?.locked_until) {
+      throw new Error(`Account locked until ${new Date(d.locked_until as string).toLocaleTimeString()}`);
+    }
+    const message = (d?.detail || d?.error || 'Authentication failed') as string;
+    throw new Error(message);
+  }
+
+  const parsed = parseAuthResponse(data);
+  if (parsed.access) {
+    setAccessToken(parsed.access);
+  }
+
+  return parsed;
+}
+
+export async function registerAccount(payload: {
+  email: string;
+  password: string;
+  passwordConfirm: string;
+  name?: string;
+  firstName?: string;
+  lastName?: string;
+}) {
+  const rawName = payload.name?.trim() || '';
+  const [firstFromName, ...rest] = rawName ? rawName.split(/\s+/) : [];
+  const lastFromName = rest.length ? rest.join(' ') : undefined;
+
+  const response = await fetch(resolveAuthUrl(AUTH_PATHS.REGISTER), {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    credentials: 'include',
+    body: JSON.stringify({
+      email: payload.email,
+      password: payload.password,
+      password_confirm: payload.passwordConfirm,
+      first_name: payload.firstName ?? firstFromName ?? undefined,
+      last_name: payload.lastName ?? lastFromName ?? undefined,
+    }),
+  });
+
+  const data = await response.json().catch(() => ({}));
+
+  if (!response.ok) {
+    const d = data as Record<string, unknown>;
+    const message = (d?.detail || d?.error || 'Registration failed') as string;
+    throw new Error(message);
+  }
+
+  const parsed = parseAuthResponse(data);
+  if (parsed.access) {
+    setAccessToken(parsed.access);
+  }
+
+  return parsed;
+}
+
+export async function requestPasswordReset(email: string): Promise<void> {
+  const response = await fetch(resolveAuthUrl(AUTH_PATHS.FORGOT_PASSWORD), {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ email }),
+  });
+
+  if (!response.ok) {
+    const data = await response.json().catch(() => ({}));
+    const d = data as Record<string, unknown>;
+    const message = (d?.detail || d?.error || 'Failed to send reset link') as string;
+    throw new Error(message);
+  }
+}
+
+export async function resetPassword(payload: {
+  token: string;
+  password: string;
+  passwordConfirm: string;
+  email?: string;
+}): Promise<void> {
+  const response = await fetch(resolveAuthUrl(AUTH_PATHS.RESET_PASSWORD), {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      token: payload.token,
+      password: payload.password,
+      password_confirm: payload.passwordConfirm,
+      ...(payload.email ? { email: payload.email } : {}),
+    }),
+  });
+
+  if (!response.ok) {
+    const data = await response.json().catch(() => ({}));
+    const d = data as Record<string, unknown>;
+    const message = (d?.detail || d?.error || 'Failed to reset password') as string;
+    throw new Error(message);
+  }
+}
+
+export async function verifyEmail(token: string): Promise<void> {
+  const response = await fetch(resolveAuthUrl(AUTH_PATHS.VERIFY_EMAIL), {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ token }),
+  });
+
+  if (!response.ok) {
+    const data = await response.json().catch(() => ({}));
+    const d = data as Record<string, unknown>;
+    const message = (d?.detail || d?.error || 'Failed to verify email') as string;
+    throw new Error(message);
+  }
+}
+
+export async function resendVerification(access?: string | null): Promise<void> {
+  const response = await fetch(resolveAuthUrl(AUTH_PATHS.RESEND_VERIFICATION), {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      ...(access ? { Authorization: `Bearer ${access}` } : {}),
+    },
+    credentials: 'include',
+  });
+
+  if (!response.ok) {
+    const data = await response.json().catch(() => ({}));
+    const d = data as Record<string, unknown>;
+    const message = (d?.detail || d?.error || 'Failed to resend verification email') as string;
+    throw new Error(message);
+  }
+}
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export async function initiateGoogleOAuth(redirectUri: string): Promise<any> {
+  const response = await fetch(resolveAuthUrl(AUTH_PATHS.OAUTH_GOOGLE_INITIATE), {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    credentials: 'include',
+    body: JSON.stringify({ redirect_uri: redirectUri }),
+  });
+
+  const data = await response.json().catch(() => ({}));
+
+  if (!response.ok) {
+    const d = data as Record<string, unknown>;
+    const message = (d?.detail || d?.error || 'Failed to initiate Google OAuth') as string;
+    throw new Error(message);
+  }
+
+  return data;
+}
+
+export async function completeGoogleOAuth(code: string, state: string) {
+  const response = await fetch(
+    resolveAuthUrl(
+      `${AUTH_PATHS.OAUTH_GOOGLE_CALLBACK}?code=${encodeURIComponent(code)}&state=${encodeURIComponent(state)}`
+    ),
+    { credentials: 'include' }
+  );
+
+  const data = await response.json().catch(() => ({}));
+
+  if (!response.ok) {
+    const d = data as Record<string, unknown>;
+    const message = (d?.detail || d?.error || 'OAuth authentication failed') as string;
+    throw new Error(message);
+  }
+
+  const parsed = parseAuthResponse(data);
+  if (parsed.access) {
+    setAccessToken(parsed.access);
+  }
+
+  return parsed;
+}
+
+export async function refreshAccessToken(): Promise<string | null> {
+  const csrfToken = getCsrfToken();
+  if (!csrfToken) return null;
+
+  const response = await fetch(resolveAuthUrl(AUTH_PATHS.TOKEN_REFRESH), {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'X-CSRFToken': csrfToken,
+    },
+    credentials: 'include',
+  });
+
+  const data = await response.json().catch(() => ({}));
+
+  if (!response.ok) {
+    return null;
+  }
+
+  const parsed = parseAuthResponse(data);
+  if (parsed.access) {
+    setAccessToken(parsed.access);
+    return parsed.access;
+  }
+
+  return null;
+}
+
+export async function getMe(): Promise<AuthUser | null> {
+  const token = getAccessToken();
+  if (!token) return null;
+
+  const response = await fetch(resolveAuthUrl(AUTH_PATHS.ME), {
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+    credentials: 'include',
+    cache: 'no-store',
+  });
+
+  if (!response.ok) {
+    return null;
+  }
+
+  const data = await response.json().catch(() => ({}));
+  const obj = data as Record<string, unknown>;
+  const payload = obj.data && typeof obj.data === 'object' ? obj.data : obj;
+  const userRaw = (payload as Record<string, unknown>).user || payload;
+  return normalizeUser(userRaw);
+}
+
+export async function signOut(): Promise<void> {
+  const csrfToken = getCsrfToken();
+  const token = getAccessToken();
+
+  try {
+    await fetch(resolveAuthUrl(AUTH_PATHS.LOGOUT), {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        ...(csrfToken ? { 'X-CSRFToken': csrfToken } : {}),
+        ...(token ? { Authorization: `Bearer ${token}` } : {}),
+      },
+      credentials: 'include',
+    });
+  } finally {
+    setAccessToken(null);
+  }
+}
+
+export async function authFetch(
+  input: RequestInfo | URL,
+  init: RequestInit = {}
+): Promise<Response> {
+  const token = getAccessToken();
+  const headers = new Headers(init.headers || {});
+
+  if (token && !headers.has('Authorization')) {
+    headers.set('Authorization', `Bearer ${token}`);
+  }
+
+  const resolvedInput = typeof input === 'string' ? resolveAuthUrl(input) : input;
+
+  const response = await fetch(resolvedInput, {
+    ...init,
+    headers,
+    credentials: init.credentials ?? 'include',
+  });
+
+  if (response.status === 401) {
+    const refreshed = await refreshAccessToken();
+    if (refreshed) {
+      const retryHeaders = new Headers(init.headers || {});
+      retryHeaders.set('Authorization', `Bearer ${refreshed}`);
+
+      return fetch(resolvedInput, {
+        ...init,
+        headers: retryHeaders,
+        credentials: init.credentials ?? 'include',
+      });
+    }
+  }
+
+  return response;
+}
+
+export function hasPermission(user: AuthUser | null | undefined, permission: string): boolean {
+  if (!user) return false;
+  if (!user.permissions || user.permissions.length === 0) return false;
+  return user.permissions.includes(permission);
+}
+
+export function hasGroup(user: AuthUser | null | undefined, group: string): boolean {
+  if (!user) return false;
+  if (!user.groups || user.groups.length === 0) return false;
+  return user.groups.includes(group);
+}

package/src/client/index.ts

@@ -0,0 +1,5 @@
+export { AuthClient } from './auth-client';
+export { AuthProvider, useAuthContext } from './auth-context';
+export { useAuth, type UseAuthReturn } from './use-auth';
+export { usePermissions, type UsePermissionsReturn } from './use-permissions';
+export * from './functions';

package/src/client/use-auth.ts

@@ -0,0 +1,45 @@
+/**
+ * React hook for authentication
+ */
+
+'use client';
+
+import { useAuthContext } from './auth-context';
+import type { AuthUser, Session } from '../types';
+
+export interface UseAuthReturn {
+  user: AuthUser | null;
+  session: Session | null;
+  isLoading: boolean;
+  isAuthenticated: boolean;
+  login: (email: string, password: string) => Promise<void>;
+  logout: () => Promise<void>;
+  refreshUser: () => Promise<void>;
+  getAccessToken: () => Promise<string | null>;
+}
+
+/**
+ * Hook to access authentication state and methods
+ */
+export function useAuth(): UseAuthReturn {
+  const {
+    session,
+    isLoading,
+    isAuthenticated,
+    login,
+    logout,
+    refreshUser,
+    getAccessToken,
+  } = useAuthContext();
+
+  return {
+    user: session?.user || null,
+    session,
+    isLoading,
+    isAuthenticated,
+    login,
+    logout,
+    refreshUser,
+    getAccessToken,
+  };
+}

package/src/client/use-permissions.ts

@@ -0,0 +1,82 @@
+/**
+ * React hook for permission checks
+ */
+
+'use client';
+
+import { useMemo } from 'react';
+import { useAuth } from './use-auth';
+import type { CompanyRole } from '../types';
+import { hasRolePermission } from '../types';
+
+export interface UsePermissionsReturn {
+  hasRole: (requiredRole: CompanyRole, companyId?: string) => boolean;
+  isOwner: (companyId?: string) => boolean;
+  isAdmin: (companyId?: string) => boolean;
+  canEdit: (companyId?: string) => boolean;
+  canView: (companyId?: string) => boolean;
+  currentRole: CompanyRole | null;
+  currentCompanyId: string | null;
+}
+
+/**
+ * Hook to check user permissions
+ */
+export function usePermissions(): UsePermissionsReturn {
+  const { user } = useAuth();
+
+  const currentCompanyId = user?.currentCompanyId || null;
+
+  const currentCompany = useMemo(() => {
+    if (!user?.companies || !currentCompanyId) {
+      return null;
+    }
+    return user.companies.find((c) => c.id === currentCompanyId);
+  }, [user, currentCompanyId]);
+
+  const currentRole = currentCompany?.role || null;
+
+  const hasRole = (requiredRole: CompanyRole, companyId?: string): boolean => {
+    if (!user?.companies) {
+      return false;
+    }
+
+    const targetCompanyId = companyId || currentCompanyId;
+    if (!targetCompanyId) {
+      return false;
+    }
+
+    const company = user.companies.find((c) => c.id === targetCompanyId);
+    if (!company) {
+      return false;
+    }
+
+    return hasRolePermission(company.role, requiredRole);
+  };
+
+  const isOwner = (companyId?: string): boolean => {
+    return hasRole('owner', companyId);
+  };
+
+  const isAdmin = (companyId?: string): boolean => {
+    return hasRole('admin', companyId);
+  };
+
+  const canEdit = (companyId?: string): boolean => {
+    return hasRole('member', companyId);
+  };
+
+  const canView = (companyId?: string): boolean => {
+    return hasRole('viewer', companyId);
+  };
+
+  return {
+    hasRole,
+    isOwner,
+    isAdmin,
+    canEdit,
+    canView,
+    currentRole,
+    currentCompanyId,
+  };
+}

package/src/email/index.ts

@@ -0,0 +1,136 @@
+/**
+ * Server-only: email utilities for auth flows
+ * Usage: import { createEmailService } from '@startsimpli/auth/email'
+ *
+ * Call createEmailService(process.env.RESEND_API_KEY) once per app (e.g. in a singleton module).
+ * If no API key is provided (dev/test), emails are logged to console instead of sent.
+ *
+ * resend is an optional peer dependency — the package works without it installed.
+ */
+
+export interface EmailOptions {
+  to: string;
+  subject: string;
+  html: string;
+  text?: string;
+}
+
+export interface EmailService {
+  sendEmail(options: EmailOptions): Promise<boolean>;
+  sendPasswordResetEmail(to: string, resetUrl: string, appName?: string, userName?: string | null): Promise<boolean>;
+  sendWelcomeEmail(to: string, name: string | null, appName?: string, appUrl?: string): Promise<boolean>;
+}
+
+export function createEmailService(
+  apiKey: string | undefined,
+  options: { fromEmail?: string; fromName?: string } = {}
+): EmailService {
+  const fromEmail = options.fromEmail ?? 'noreply@startsimpli.com';
+  const fromName = options.fromName;
+
+  // Lazily resolved Resend instance — avoids hard require() at module load time
+  // and lets the package work even if resend is not installed.
+  type ResendLike = { emails: { send: (payload: unknown) => Promise<{ error: unknown }> } };
+  let resendInstance: ResendLike | null = null;
+
+  async function getResend(): Promise<ResendLike | null> {
+    if (!apiKey) return null;
+    if (resendInstance) return resendInstance;
+    try {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const mod = await (Function('m', 'return import(m)')('resend') as Promise<any>);
+      resendInstance = new mod.Resend(apiKey) as ResendLike;
+    } catch {
+      console.warn('[email] resend package not available — falling back to console logging');
+    }
+    return resendInstance;
+  }
+
+  const from = fromName ? `${fromName} <${fromEmail}>` : fromEmail;
+
+  async function sendEmail(opts: EmailOptions): Promise<boolean> {
+    const { to, subject, html, text } = opts;
+    const resend = await getResend();
+
+    if (!resend) {
+      console.log('=== EMAIL (dev mode - not sent) ===');
+      console.log(`To: ${to}`);
+      console.log(`Subject: ${subject}`);
+      console.log(`Body: ${text ?? html}`);
+      console.log('=== END EMAIL ===');
+      return true;
+    }
+
+    try {
+      const { error } = await resend.emails.send({ from, to, subject, html, text });
+      if (error) {
+        console.error('[email] Failed to send email:', error);
+        return false;
+      }
+      return true;
+    } catch (err) {
+      console.error('[email] Email service error:', err);
+      return false;
+    }
+  }
+
+  async function sendPasswordResetEmail(
+    to: string,
+    resetUrl: string,
+    appName = 'Simpli',
+    userName?: string | null
+  ): Promise<boolean> {
+    const name = userName ?? 'there';
+    return sendEmail({
+      to,
+      subject: `Reset your password - ${appName}`,
+      html: `
+        <div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
+          <h2 style="color: #f86c4f;">Reset Your Password</h2>
+          <p>Hi ${name},</p>
+          <p>We received a request to reset your password for your ${appName} account.</p>
+          <p>Click the button below to reset your password. This link will expire in 1 hour.</p>
+          <p style="margin: 30px 0;">
+            <a href="${resetUrl}"
+               style="background-color: #f86c4f; color: white; padding: 12px 24px;
+                      text-decoration: none; border-radius: 6px; display: inline-block;">
+              Reset Password
+            </a>
+          </p>
+          <p>Or copy and paste this link into your browser:</p>
+          <p style="color: #666; word-break: break-all;">${resetUrl}</p>
+          <hr style="border: none; border-top: 1px solid #eee; margin: 30px 0;">
+          <p style="color: #999; font-size: 14px;">
+            If you didn't request this password reset, you can safely ignore this email.
+            Your password will remain unchanged.
+          </p>
+        </div>
+      `,
+      text: `Hi ${name},\n\nWe received a request to reset your password for your ${appName} account.\n\nClick this link to reset your password (expires in 1 hour):\n${resetUrl}\n\nIf you didn't request this password reset, you can safely ignore this email.\nYour password will remain unchanged.`,
+    });
+  }
+
+  async function sendWelcomeEmail(
+    to: string,
+    name: string | null,
+    appName = 'Simpli',
+    appUrl = ''
+  ): Promise<boolean> {
+    const displayName = name ?? 'there';
+    return sendEmail({
+      to,
+      subject: `Welcome to ${appName}!`,
+      html: `
+        <div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
+          <h2 style="color: #f86c4f;">Welcome, ${displayName}!</h2>
+          <p>Your ${appName} account is ready.</p>
+          ${appUrl ? `<p><a href="${appUrl}" style="background:#f86c4f;color:white;padding:12px 24px;border-radius:6px;text-decoration:none;display:inline-block;">Get started</a></p>` : ''}
+          <p>The ${appName} team</p>
+        </div>
+      `,
+      text: `Welcome, ${displayName}!\n\nYour ${appName} account is ready.${appUrl ? `\n\nGet started: ${appUrl}` : ''}\n\nThe ${appName} team`,
+    });
+  }
+
+  return { sendEmail, sendPasswordResetEmail, sendWelcomeEmail };
+}