@startsimpli/auth 0.4.15 → 0.4.16

package/src/client/token-auth-core.ts

@@ -0,0 +1,190 @@
+/**
+ * Platform-neutral, token-mode auth client.
+ *
+ * Mirrors the session lifecycle of the web cookie-based AuthClient (login /
+ * refreshToken / logout / getCurrentUser) but works WITHOUT cookies, so it runs
+ * on React Native (and any non-browser client). It opts into the backend's
+ * token mode via `X-Auth-Mode: token`, carries the refresh token through a
+ * pluggable TokenStorage, and sends the access token as a Bearer header.
+ *
+ * Backend contract (start-simpli-api, shipped by claude-mac):
+ *   POST /api/v1/auth/token/         X-Auth-Mode: token -> { access, refresh }
+ *   POST /api/v1/auth/token/refresh/ body { refresh }   -> { access, refresh }
+ *   POST /api/v1/auth/logout/        Bearer + body { refresh } (blacklists refresh)
+ *   GET  /api/v1/auth/me/            Bearer
+ *
+ * DOM-free by construction: no cookies, no window/document. The only platform
+ * detail — where the refresh token is persisted — is injected as TokenStorage.
+ */
+
+import type { AuthUser, Session } from '../types';
+import { getTokenExpiresAt } from '../utils/token';
+import { extractApiError } from '../utils/api-error';
+
+/** Persistence for the refresh token. Web uses cookies (and never needs this);
+ *  native provides a SecureStore-backed implementation. */
+export interface TokenStorage {
+  getRefreshToken(): Promise<string | null>;
+  setRefreshToken(token: string): Promise<void>;
+  clear(): Promise<void>;
+}
+
+/** In-memory TokenStorage — used in tests and as a non-persistent fallback. */
+export class InMemoryTokenStorage implements TokenStorage {
+  private refresh: string | null = null;
+  async getRefreshToken(): Promise<string | null> {
+    return this.refresh;
+  }
+  async setRefreshToken(token: string): Promise<void> {
+    this.refresh = token;
+  }
+  async clear(): Promise<void> {
+    this.refresh = null;
+  }
+}
+
+export interface TokenAuthConfig {
+  apiBaseUrl: string;
+  storage: TokenStorage;
+  /** Injectable for tests; defaults to the global fetch. */
+  fetch?: typeof fetch;
+}
+
+function normalizeUser(raw: unknown): AuthUser | null {
+  if (!raw || typeof raw !== 'object') return null;
+  const obj = raw as Record<string, unknown>;
+  const p = (obj.user && typeof obj.user === 'object' ? obj.user : obj) as Record<string, unknown>;
+  if (!p.id || !p.email) return null;
+  return {
+    id: String(p.id),
+    email: String(p.email),
+    firstName: (p.first_name ?? p.firstName ?? '') as string,
+    lastName: (p.last_name ?? p.lastName ?? '') as string,
+    isEmailVerified: Boolean(p.is_email_verified ?? p.isEmailVerified ?? false),
+    createdAt: (p.created_at ?? p.createdAt ?? '') as string,
+    updatedAt: (p.updated_at ?? p.updatedAt ?? '') as string,
+    name: (p.name as string | null | undefined) ?? null,
+  };
+}
+
+export class TokenAuthClient {
+  private apiBaseUrl: string;
+  private storage: TokenStorage;
+  private fetchImpl: typeof fetch;
+  private accessToken: string | null = null;
+  private session: Session | null = null;
+
+  constructor(config: TokenAuthConfig) {
+    this.apiBaseUrl = config.apiBaseUrl;
+    this.storage = config.storage;
+    this.fetchImpl = config.fetch ?? (globalThis.fetch.bind(globalThis) as typeof fetch);
+  }
+
+  getAccessToken(): string | null {
+    return this.accessToken;
+  }
+
+  getSession(): Session | null {
+    return this.session;
+  }
+
+  async login(email: string, password: string): Promise<Session> {
+    const response = await this.fetchImpl(`${this.apiBaseUrl}/api/v1/auth/token/`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'X-Auth-Mode': 'token' },
+      body: JSON.stringify({ email, password }),
+    });
+
+    if (!response.ok) {
+      const data = await response.json().catch(() => ({}) as Record<string, unknown>);
+      throw new Error(extractApiError(data as Record<string, unknown>, 'Login failed'));
+    }
+
+    const data = (await response.json()) as Record<string, unknown>;
+    const access = data.access as string;
+    const expiresAt = getTokenExpiresAt(access);
+    if (!expiresAt) {
+      throw new Error('Invalid token received');
+    }
+
+    await this.storage.setRefreshToken(data.refresh as string);
+    this.accessToken = access;
+
+    let user = data.user ? normalizeUser(data.user) : null;
+    if (!user) {
+      user = await this.getCurrentUser(access);
+    }
+
+    this.session = { user, accessToken: access, expiresAt };
+    return this.session;
+  }
+
+  async refreshToken(): Promise<string> {
+    const refresh = await this.storage.getRefreshToken();
+    if (!refresh) {
+      throw new Error('No refresh token available');
+    }
+
+    const response = await this.fetchImpl(`${this.apiBaseUrl}/api/v1/auth/token/refresh/`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ refresh }),
+    });
+
+    if (!response.ok) {
+      await this.storage.clear();
+      this.accessToken = null;
+      this.session = null;
+      const data = await response.json().catch(() => ({}) as Record<string, unknown>);
+      throw new Error(extractApiError(data as Record<string, unknown>, 'Token refresh failed'));
+    }
+
+    const data = (await response.json()) as Record<string, unknown>;
+    const access = data.access as string;
+    // The backend rotates the refresh token in token mode; persist the new one.
+    if (typeof data.refresh === 'string') {
+      await this.storage.setRefreshToken(data.refresh);
+    }
+    this.accessToken = access;
+    return access;
+  }
+
+  async logout(): Promise<void> {
+    const refresh = await this.storage.getRefreshToken();
+    try {
+      await this.fetchImpl(`${this.apiBaseUrl}/api/v1/auth/logout/`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          ...(this.accessToken ? { Authorization: `Bearer ${this.accessToken}` } : {}),
+        },
+        body: JSON.stringify({ refresh: refresh ?? undefined }),
+      });
+    } catch {
+      // Network failure shouldn't strand a logged-out user with local tokens.
+    } finally {
+      await this.storage.clear();
+      this.accessToken = null;
+      this.session = null;
+    }
+  }
+
+  async getCurrentUser(accessToken: string): Promise<AuthUser> {
+    const response = await this.fetchImpl(`${this.apiBaseUrl}/api/v1/auth/me/`, {
+      method: 'GET',
+      headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${accessToken}` },
+    });
+
+    if (!response.ok) {
+      const data = await response.json().catch(() => ({}) as Record<string, unknown>);
+      throw new Error(extractApiError(data as Record<string, unknown>, 'Failed to fetch user'));
+    }
+
+    const data = (await response.json()) as Record<string, unknown>;
+    const user = normalizeUser(data);
+    if (!user) {
+      throw new Error('Invalid user response');
+    }
+    return user;
+  }
+}

package/src/client/token.ts

@@ -0,0 +1,18 @@
+/**
+ * @startsimpli/auth/token — platform-neutral, cookie-free auth entry.
+ *
+ * The RN-safe surface for token-mode auth: a TokenAuthClient that carries the
+ * refresh token through a TokenStorage instead of cookies. SecureTokenStorage
+ * resolves to an expo-secure-store impl on React Native and to a throwing stub
+ * on the web (where the cookie-based AuthClient should be used instead).
+ *
+ * Kept separate from '@startsimpli/auth/client' because that barrel pulls in the
+ * DOM/cookie-bound web client (functions, AuthProvider).
+ */
+export {
+  TokenAuthClient,
+  InMemoryTokenStorage,
+  type TokenStorage,
+  type TokenAuthConfig,
+} from './token-auth-core';
+export { SecureTokenStorage, REFRESH_TOKEN_KEY } from './secure-token-storage';

package/src/index.ts

@@ -38,7 +38,24 @@ export {
   authFetch,
   hasPermission,
   hasGroup,
+  createMockAuthBackend,
+  createMemorySessionStorage,
+  createWebSessionStorage,
+  createRememberAwareSessionStorage,
+  createSecureSessionStorage,
+  SESSION_STORAGE_KEY,
+} from './client';
+export type {
+  UseAuthReturn,
+  UseRequireAuthReturn,
+  UseRequireAuthOptions,
+  UsePermissionsReturn,
+  AuthBackend,
+  RegisterPayload,
+  MockAuthBackend,
+  MockAuthBackendOptions,
+  MockAccount,
+  SessionStorage,
 } from './client';
-export type { UseAuthReturn, UseRequireAuthReturn, UseRequireAuthOptions, UsePermissionsReturn } from './client';
 
 // DO NOT export './server' here - it uses next/headers and must be imported explicitly via '@startsimpli/auth/server'

package/src/types/index.ts

@@ -51,6 +51,11 @@ export interface AuthUser {
   isStaff?: boolean;
   isActive?: boolean;
   name?: string | null;
+  // Role/permission membership. Mirrors the functional-API AuthUser so the
+  // session user works directly with hasGroup()/hasPermission(). Backends that
+  // model roles as string groups (incl. the mock backend) populate these.
+  groups?: string[];
+  permissions?: string[];
   // Company/team context (if applicable)
   companies?: Array<{
     id: string;

package/src/utils/api-error.ts

@@ -0,0 +1,54 @@
+/**
+ * Extract a human-readable message from a Django REST Framework error response body.
+ *
+ * Handles the shapes we've seen in practice:
+ *   { detail: "..." }                                 → the string
+ *   { detail: ["...", "..."] }                        → first string
+ *   { detail: { token: ["Invalid..."] } }             → first nested string
+ *   { email: ["already exists"] }                     → first field-level string
+ *   { non_field_errors: ["..."] }                     → first field-level string
+ *   { error: "CODE", detail: { field: ["..."] } }     → first nested string
+ *
+ * Pure and DOM-free, so it is shared by the web functional client (functions.ts)
+ * and the platform-neutral token-auth core (token-auth-core.ts).
+ *
+ * @internal Implementation detail of the auth package; do not rely on from outside.
+ */
+export function extractApiError(d: Record<string, unknown>, fallback: string): string {
+  const pluck = (val: unknown): string | null => {
+    if (typeof val === 'string') return val
+    if (Array.isArray(val) && val.length > 0) {
+      for (const item of val) {
+        const s = pluck(item)
+        if (s) return s
+      }
+    }
+    if (val && typeof val === 'object') {
+      for (const v of Object.values(val as Record<string, unknown>)) {
+        const s = pluck(v)
+        if (s) return s
+      }
+    }
+    return null
+  }
+
+  // Standard DRF: { detail: "..." }
+  const fromDetail = pluck(d.detail)
+  if (fromDetail) return fromDetail
+  // Some backend shapes use `error` as the human-readable message (e.g.
+  // our Django auth errors: { "error": "No active account...", "code": "unauthorized" }).
+  // Prefer this over field-level probing so we don't accidentally return a
+  // code like "unauthorized" from a sibling field.
+  const fromError = pluck(d.error)
+  if (fromError) return fromError
+  // Field-level: { email: ["already exists"] } or { non_field_errors: ["..."] }
+  // Skip known meta/code fields so `{ code: "unauthorized" }` doesn't leak
+  // an internal identifier as a user-facing message.
+  const META_KEYS = new Set(['detail', 'error', 'code', 'statusCode', 'status', 'timestamp'])
+  for (const [key, val] of Object.entries(d)) {
+    if (META_KEYS.has(key)) continue
+    const s = pluck(val)
+    if (s) return s
+  }
+  return fallback
+}