@startsimpli/auth 0.4.16 → 0.4.18

package/src/hooks/use-membership.ts

@@ -0,0 +1,192 @@
+'use client';
+
+/**
+ * useMembership — derive the current user's company + team membership
+ * context off whatever the backend hands the @startsimpli/api client.
+ *
+ * The hook is *injection-friendly*: the caller passes in the API methods
+ * (`fetchMyTeams`, `fetchTeam`, `fetchCompany`) so @startsimpli/auth stays
+ * decoupled from @startsimpli/api. Most apps will pass
+ *   api.teams.myTeams, api.teams.retrieve, api.companies.retrieve
+ * directly. startsim-o7s.
+ */
+
+import { useCallback, useEffect, useMemo, useState } from 'react';
+import { useAuth } from '../client/use-auth';
+import { hasRolePermission } from '../types';
+import type { CompanyRole } from '../types';
+
+export type MembershipRole = CompanyRole;
+
+/** Minimal company-shape used by the hook (deduped from @startsimpli/api). */
+export interface MembershipCompany {
+  id: string;
+  slug: string;
+  name: string;
+}
+
+/** Minimal team-shape used by the hook. */
+export interface MembershipTeam {
+  id: string;
+  slug: string;
+  name: string;
+  companyId: string;
+}
+
+/** A row from `/team-members/my-teams/` — keeps just what the hook needs. */
+export interface MembershipRow {
+  id: string;
+  userId: string;
+  teamId: string;
+  role: MembershipRole;
+  joinedAt: string;
+  team?: MembershipTeam;
+}
+
+export interface UseMembershipOptions {
+  /** Required: returns the current user's team memberships. */
+  fetchMyTeams: () => Promise<MembershipRow[]>;
+  /** Optional: hydrate the active team if `team` isn't embedded in the row. */
+  fetchTeam?: (idOrSlug: string) => Promise<MembershipTeam>;
+  /** Optional: hydrate the active company. */
+  fetchCompany?: (idOrSlug: string) => Promise<MembershipCompany>;
+  /**
+   * Optional override that picks which team is "current". Defaults to:
+   *   1. AuthUser.currentCompanyId → the membership whose team belongs there
+   *   2. otherwise, the first OWNER membership
+   *   3. otherwise, the first row
+   */
+  pickCurrent?: (rows: MembershipRow[]) => MembershipRow | undefined;
+}
+
+export interface UseMembershipReturn {
+  company: MembershipCompany | null;
+  currentTeam: MembershipTeam | null;
+  role: MembershipRole | null;
+  isOwner: boolean;
+  isAdmin: boolean;
+  isMemberOrAbove: boolean;
+  canInvite: boolean;
+  /** All membership rows for this user. */
+  memberships: MembershipRow[];
+  isLoading: boolean;
+  error: Error | null;
+  /** Force re-fetch. */
+  refresh: () => Promise<void>;
+}
+
+const EMPTY: UseMembershipReturn = {
+  company: null,
+  currentTeam: null,
+  role: null,
+  isOwner: false,
+  isAdmin: false,
+  isMemberOrAbove: false,
+  canInvite: false,
+  memberships: [],
+  isLoading: false,
+  error: null,
+  refresh: async () => {},
+};
+
+export function useMembership(options: UseMembershipOptions): UseMembershipReturn {
+  const { fetchMyTeams, fetchTeam, fetchCompany, pickCurrent } = options;
+  const { user, isAuthenticated } = useAuth();
+
+  const [rows, setRows] = useState<MembershipRow[]>([]);
+  const [team, setTeam] = useState<MembershipTeam | null>(null);
+  const [company, setCompany] = useState<MembershipCompany | null>(null);
+  const [isLoading, setIsLoading] = useState<boolean>(isAuthenticated);
+  const [error, setError] = useState<Error | null>(null);
+
+  const currentCompanyHint = user?.currentCompanyId;
+
+  const refresh = useCallback(async () => {
+    if (!isAuthenticated) {
+      setRows([]);
+      setTeam(null);
+      setCompany(null);
+      setIsLoading(false);
+      return;
+    }
+    setIsLoading(true);
+    setError(null);
+    try {
+      const fetched = await fetchMyTeams();
+      setRows(fetched);
+
+      const picked =
+        pickCurrent?.(fetched) ??
+        defaultPickCurrent(fetched, currentCompanyHint);
+
+      if (!picked) {
+        setTeam(null);
+        setCompany(null);
+        return;
+      }
+
+      const teamObj = picked.team ?? (fetchTeam ? await fetchTeam(picked.teamId) : null);
+      setTeam(teamObj);
+
+      if (teamObj && fetchCompany) {
+        const companyObj = await fetchCompany(teamObj.companyId);
+        setCompany(companyObj);
+      }
+    } catch (err) {
+      setError(err instanceof Error ? err : new Error(String(err)));
+    } finally {
+      setIsLoading(false);
+    }
+  }, [fetchMyTeams, fetchTeam, fetchCompany, pickCurrent, isAuthenticated, currentCompanyHint]);
+
+  useEffect(() => {
+    void refresh();
+  }, [refresh]);
+
+  return useMemo<UseMembershipReturn>(() => {
+    if (!isAuthenticated) return EMPTY;
+    const picked =
+      pickCurrent?.(rows) ?? defaultPickCurrent(rows, currentCompanyHint);
+    const role = picked?.role ?? null;
+    const isOwner = role === 'owner';
+    const isAdmin = !!role && hasRolePermission(role, 'admin');
+    const isMemberOrAbove = !!role && hasRolePermission(role, 'member');
+    return {
+      company,
+      currentTeam: team,
+      role,
+      isOwner,
+      isAdmin,
+      isMemberOrAbove,
+      // Owners + admins can invite; backend enforces same on bulk-invite.
+      canInvite: isAdmin,
+      memberships: rows,
+      isLoading,
+      error,
+      refresh,
+    };
+  }, [
+    isAuthenticated,
+    rows,
+    team,
+    company,
+    isLoading,
+    error,
+    refresh,
+    pickCurrent,
+    currentCompanyHint,
+  ]);
+}
+
+function defaultPickCurrent(
+  rows: MembershipRow[],
+  currentCompanyId?: string,
+): MembershipRow | undefined {
+  if (rows.length === 0) return undefined;
+  if (currentCompanyId) {
+    const hit = rows.find((r) => r.team?.companyId === currentCompanyId);
+    if (hit) return hit;
+  }
+  const owner = rows.find((r) => r.role === 'owner');
+  return owner ?? rows[0];
+}

package/src/index.ts

@@ -58,4 +58,31 @@ export type {
   SessionStorage,
 } from './client';
 
+// Team-management hooks (startsim-o7s) — useMembership / useInvitations /
+// useDomainClaims. Headless; caller passes the @startsimpli/api methods.
+export {
+  useMembership,
+  useMembershipFromApi,
+  useInvitations,
+  useDomainClaims,
+} from './hooks';
+export type {
+  UseMembershipOptions,
+  UseMembershipReturn,
+  MembershipCompany,
+  MembershipTeam,
+  MembershipRow,
+  MembershipRole,
+  UseMembershipFromApiClient,
+  UseInvitationsOptions,
+  UseInvitationsReturn,
+  InvitationRow,
+  BulkInviteEntry,
+  BulkInviteResult,
+  UseDomainClaimsOptions,
+  UseDomainClaimsReturn,
+  DomainClaimRow,
+  DomainVerificationMethod,
+} from './hooks';
+
 // DO NOT export './server' here - it uses next/headers and must be imported explicitly via '@startsimpli/auth/server'

package/src/server/index.ts

@@ -18,3 +18,7 @@ export {
   withRole,
   type GuardResult,
 } from './guards';
+
+// Re-export token helpers so consumers (e.g. app middleware) don't have to
+// reach into `./utils` directly.
+export { isTokenExpired, decodeToken, getTokenExpiresAt } from '../utils/token';

package/src/types/index.ts

@@ -183,7 +183,6 @@ export interface PasswordResetRequest {
 export interface PasswordResetConfirm {
   token: string;
   password: string;
-  passwordConfirm: string;
 }
 
 /**

package/src/utils/central-auth.ts

@@ -0,0 +1,91 @@
+/**
+ * Helpers for redirecting to the central StartSimpli auth host
+ * (auth.startsimpli.com, see startsim-ul0).
+ *
+ * Per-app auth pages have been replaced by a single host that owns
+ * /signin, /signup, /forgot-password, /reset-password, /verify-email,
+ * /oauth/google/callback, /oauth/microsoft/callback, /completion, /error.
+ *
+ * Apps consume this helper to:
+ *   1. Build "Sign in" / "Create account" links with the `app` + `return_to`
+ *      query params preserved.
+ *   2. Configure AuthProvider's `loginPath` so session-expired bounces hit the
+ *      same host.
+ *
+ * Defaults to https://auth.startsimpli.com but can be overridden via the
+ * `NEXT_PUBLIC_AUTH_HOST` env var for staging / local dev.
+ */
+
+export const DEFAULT_CENTRAL_AUTH_HOST = 'https://auth.startsimpli.com';
+
+/** Flows owned by the central auth host. */
+export type CentralAuthFlow =
+  | 'signin'
+  | 'signup'
+  | 'forgot-password'
+  | 'reset-password'
+  | 'verify-email'
+  | 'completion'
+  | 'error';
+
+/**
+ * Resolve the central auth host. Reads `NEXT_PUBLIC_AUTH_HOST` when present
+ * so apps can point at a staging deploy without rebuilding the package.
+ */
+export function resolveCentralAuthHost(): string {
+  if (typeof process !== 'undefined' && process.env?.NEXT_PUBLIC_AUTH_HOST) {
+    return process.env.NEXT_PUBLIC_AUTH_HOST;
+  }
+  return DEFAULT_CENTRAL_AUTH_HOST;
+}
+
+export interface BuildCentralAuthUrlOptions {
+  /** Slug identifying the calling app (e.g. `vault`, `raise`, `market`). */
+  app: string;
+  /** Absolute URL the user should be returned to after the flow completes. */
+  returnTo?: string;
+  /** Override the host (otherwise resolved from env). */
+  host?: string;
+  /** Extra query params to tack on. */
+  extraParams?: Record<string, string>;
+}
+
+/**
+ * Build a URL into the central auth host, preserving `?app=` and
+ * `?return_to=` consistently. Use this for hand-rolled links AND for
+ * AuthProvider's `loginPath` config.
+ *
+ * Example:
+ *   buildCentralAuthUrl('signin', { app: 'vault', returnTo: 'https://vault.startsimpli.com/environments' })
+ *   // => 'https://auth.startsimpli.com/signin?app=vault&return_to=https%3A%2F%2F...'
+ */
+export function buildCentralAuthUrl(
+  flow: CentralAuthFlow,
+  options: BuildCentralAuthUrlOptions,
+): string {
+  const host = options.host ?? resolveCentralAuthHost();
+  const url = new URL(`/${flow}`, host);
+  url.searchParams.set('app', options.app);
+  if (options.returnTo) {
+    url.searchParams.set('return_to', options.returnTo);
+  }
+  if (options.extraParams) {
+    for (const [key, value] of Object.entries(options.extraParams)) {
+      url.searchParams.set(key, value);
+    }
+  }
+  return url.toString();
+}
+
+/**
+ * Convenience: redirect the browser to the central auth host's signin flow,
+ * preserving the current URL as `return_to`. Safe to call from client code.
+ */
+export function redirectToCentralSignin(app: string): void {
+  if (typeof window === 'undefined') return;
+  const url = buildCentralAuthUrl('signin', {
+    app,
+    returnTo: window.location.href,
+  });
+  window.location.href = url;
+}

package/src/utils/index.ts

@@ -1,3 +1,4 @@
 export * from './token';
 export * from './cookies';
+export * from './central-auth';
 export * from '../validation';

package/src/utils/validation.ts

@@ -54,18 +54,13 @@ export const passwordSchema = z
   );
 
 /**
- * Password confirmation schema
- * Validates password and confirmation match
+ * Password schema (alias retained for back-compat — passwordConfirm dropped
+ * from create-account/reset/change flows since browsers + password managers
+ * make the second field pure friction). startsim-nbq.
  */
-export const passwordConfirmSchema = z
-  .object({
-    password: passwordSchema,
-    passwordConfirm: z.string(),
-  })
-  .refine((data) => data.password === data.passwordConfirm, {
-    message: PasswordErrorCode.MISMATCH,
-    path: ['passwordConfirm'],
-  });
+export const passwordConfirmSchema = z.object({
+  password: passwordSchema,
+});
 
 /**
  * Password reset request schema
@@ -78,16 +73,10 @@ export const passwordResetRequestSchema = z.object({
 /**
  * Password reset confirm schema
  */
-export const passwordResetConfirmSchema = z
-  .object({
-    token: z.string().min(1, { message: 'Token is required' }),
-    password: passwordSchema,
-    passwordConfirm: z.string(),
-  })
-  .refine((data) => data.password === data.passwordConfirm, {
-    message: PasswordErrorCode.MISMATCH,
-    path: ['passwordConfirm'] as const,
-  });
+export const passwordResetConfirmSchema = z.object({
+  token: z.string().min(1, { message: 'Token is required' }),
+  password: passwordSchema,
+});
 
 /**
  * Email verification request schema