npm - @tapbuy-public/sso - Versions diffs - 1.0.0 - Mend

@tapbuy-public/sso 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,193 @@
+# @tapbuy-public/sso
+Framework-agnostic SSO handler for Tapbuy checkout. Decrypts an encrypted cookie payload passed via URL query parameter and sets or removes cookies accordingly.
+Works with any runtime that supports the Web standard `Request`/`Response` API: **Next.js (App Router)**, Nuxt, Remix, Deno, Bun, Cloudflare Workers, etc.
+## How it works
+1. The Tapbuy API returns a `singleSignOnURL` pointing to the retailer's SSO endpoint.
+2. The Tapbuy checkout renders a hidden `<img src="{singleSignOnURL}">` pixel.
+3. The retailer's SSO endpoint (powered by this package) reads the `token` and `action` query params, decrypts the encrypted payload, sets or removes cookies based on its content, and returns a 1×1 transparent GIF.
+The `token` query parameter contains a **base64-encoded encrypted JSON payload** — an array of cookie operations (`set` / `remove`) with names and values. The encryption key must match the retailer's `encryption_key` configured on the Tapbuy API side.
+Because the Tapbuy checkout runs on the retailer's subdomain (e.g. `checkout.retailer.com`), the pixel request is **same-site** — no third-party cookie issues.
+## Installation
+```bash
+yarn add @tapbuy-public/sso
+```
+## Usage
+### Next.js (App Router)
+Create a route handler at `app/api/tapbuy-sso/route.ts`:
+```typescript
+import { createSSOHandler } from '@tapbuy-public/sso';
+export const { GET } = createSSOHandler({
+  cookies: {
+    login: [
+      {
+        name: 'userId',
+        httpOnly: true,
+        path: '/',
+        domain: '.example.com',
+      },
+      {
+        name: 'sessionExpiration',
+        httpOnly: false,
+        path: '/',
+        domain: '.example.com',
+        maxAge: 3600,
+      },
+    ],
+    logout: ['userId', 'sessionExpiration'],
+  },
+  encryptionKey: process.env.TAPBUY_SSO_ENCRYPTION_KEY!,
+});
+```
+That's it — one file. No other changes required.
+### Minimal example
+```typescript
+import { createSSOHandler } from '@tapbuy-public/sso';
+export const { GET } = createSSOHandler({
+  cookies: {
+    login: [
+      {
+        name: 'userToken',
+        httpOnly: false,
+        path: '/',
+      },
+    ],
+    logout: ['userToken'],
+  },
+  encryptionKey: process.env.TAPBUY_SSO_ENCRYPTION_KEY!,
+});
+```
+### Using AES-256-ECB (Node.js only)
+```typescript
+export const { GET } = createSSOHandler({
+  cookies: {
+    login: [{ name: 'userToken', httpOnly: true, path: '/' }],
+    logout: ['userToken'],
+  },
+  encryptionKey: process.env.TAPBUY_SSO_ENCRYPTION_KEY!,
+  encryptionAlgorithm: 'aes-256-ecb',
+});
+```
+## API
+### `createSSOHandler(config: SSOConfig)`
+Returns `{ GET: (request: Request) => Response | Promise<Response> }`.
+The `GET` handler reads two query parameters from the request URL:
+| Parameter | Required          | Description                                                                 |
+| --------- | ----------------- | --------------------------------------------------------------------------- |
+| `action`  | Always            | `"login"` or `"logout"`                                                     |
+| `token`   | When action=login | Base64-encoded encrypted JSON payload describing which cookies to set/remove |
+**Encrypted payload format**: The decrypted `token` is a JSON array of cookie operations:
+```typescript
+interface SSOCookiePayloadItem {
+  name: string;           // Cookie name
+  value: string;          // Cookie value to set
+  action: 'set' | 'remove'; // Whether to set or remove (expire) this cookie
+}
+```
+**On login**: decrypts the `token`, then for each item in the payload:
+- `action: 'set'` — sets the cookie with the given value, using security options from the matching `cookies.login` config.
+- `action: 'remove'` — expires the cookie by setting `Max-Age=0`.
+**On logout**: expires each cookie name listed in `config.cookies.logout` by setting `Max-Age=0`. Path and domain are inherited from the matching login config (if any).
+**Response**: Always returns a 1×1 transparent GIF (`image/gif`) with no-cache headers.
+**Error**: Returns HTTP 400 (still a GIF) when `action` is missing/invalid, when `token` is missing on login, or when decryption fails.
+### `SSOConfig`
+```typescript
+interface SSOConfig {
+  cookies: {
+    /** Cookie security options for login (httpOnly, secure, path, domain, etc.). Cookie names and values come from the encrypted payload. */
+    login: SSOCookieConfig[];
+    /** Cookie names to delete on logout. */
+    logout: string[];
+  };
+  /** AES-256 encryption key. Must match the retailer's encryption_key on the API side. */
+  encryptionKey: string;
+  /** Encryption algorithm. @default 'aes-256-gcm' */
+  encryptionAlgorithm?: 'aes-256-gcm' | 'aes-256-ecb';
+  /** Optional allowed origins for CORS headers. */
+  allowedOrigins?: (string | RegExp)[];
+  /** Optional callback after cookies are set/deleted. */
+  onComplete?: (action: 'login' | 'logout', request: Request) => void | Promise<void>;
+}
+```
+### `SSOCookieConfig`
+Defines **security options** for a cookie. The cookie name and value are provided by the encrypted payload at runtime.
+```typescript
+interface SSOCookieConfig {
+  name: string;
+  httpOnly?: boolean;   // default: true
+  secure?: boolean;     // default: true
+  sameSite?: 'Strict' | 'Lax' | 'None';  // default: "Lax"
+  path?: string;        // default: "/"
+  domain?: string;      // default: request host
+  maxAge?: number;      // default: 86400 (24h)
+}
+```
+### Encryption algorithms
+| Algorithm       | Default | Runtime requirement                | Notes                                    |
+| --------------- | ------- | ---------------------------------- | ---------------------------------------- |
+| `aes-256-gcm`   | Yes     | Web Crypto API (works everywhere)  | Recommended. Authenticated encryption.   |
+| `aes-256-ecb`   | No      | Node.js `crypto` module            | Legacy. Use only if required by the API. |
+## How to configure the Tapbuy API
+The Tapbuy API adapter must return a `singleSignOnURL` in the login/guest response. The URL should point to the retailer's SSO endpoint with `{token}` and `{action}` placeholders:
+```
+https://example.com/api/tapbuy-sso?token={token}&action={action}
+```
+The Tapbuy checkout replaces `{token}` with the encrypted cookie payload and `{action}` with `login` or `logout` before firing the pixel.
+The `encryption_key` configured on the Tapbuy API side must match the `encryptionKey` passed to `createSSOHandler`.
+## Development
+```bash
+# Install dependencies
+yarn
+# Run tests
+yarn test
+# Build
+yarn build
+# Lint
+yarn lint
+```

package/dist/esm/index.d.ts ADDED Viewed

@@ -0,0 +1,119 @@
+/**
+ * @tapbuy-public/sso
+ *
+ * Framework-agnostic SSO handler for Tapbuy checkout.
+ * Decrypts an encrypted cookie payload and sets/deletes cookies accordingly.
+ *
+ * Works with any framework that uses the Web standard Request/Response API:
+ * Next.js (App Router), Nuxt, Remix, Deno, Bun, Cloudflare Workers, etc.
+ *
+ * Supported encryption algorithms:
+ * - **AES-256-GCM** (default): uses Web Crypto API — works everywhere.
+ * - **AES-256-ECB**: uses Node.js `crypto` module — requires Node.js runtime.
+ *
+ * The `token` query parameter contains an encrypted JSON payload
+ * describing which cookies to set/remove and their values.
+ * The encryption key must match the retailer's `encryption_key` on the API side.
+ *
+ * @example
+ * // Next.js — app/api/tapbuy-sso/route.ts
+ * import { createSSOHandler } from '@tapbuy-public/sso'
+ *
+ * export const { GET } = createSSOHandler({
+ *   cookies: {
+ *     login: [
+ *       { name: 'userId', httpOnly: true, path: '/', domain: '.example.com' },
+ *     ],
+ *     logout: ['userId'],
+ *   },
+ *   encryptionKey: process.env.TAPBUY_SSO_ENCRYPTION_KEY!,
+ *   // encryptionAlgorithm: 'aes-256-ecb', // optional, default is 'aes-256-gcm'
+ * })
+ */
+/** Configuration for a single cookie to set on login. */
+export interface SSOCookieConfig {
+    /** Cookie name (e.g. "userId", "userToken"). */
+    name: string;
+    /** Whether the cookie is inaccessible to JavaScript. @default true */
+    httpOnly?: boolean;
+    /** Only send cookie over HTTPS. @default true */
+    secure?: boolean;
+    /** SameSite attribute. @default "Lax" */
+    sameSite?: 'Strict' | 'Lax' | 'None';
+    /** Cookie path. @default "/" */
+    path?: string;
+    /** Cookie domain (e.g. ".website.com"). If omitted, defaults to the request host. */
+    domain?: string;
+    /** Cookie max-age in seconds. @default 86400 (24 h) */
+    maxAge?: number;
+}
+/**
+ * A single cookie operation from the encrypted payload.
+ * The API builds an array of these, encrypts it, and passes it as the `token` query param.
+ */
+export interface SSOCookiePayloadItem {
+    /** Cookie name. Must match a name in `cookies.login` for security options. */
+    name: string;
+    /** Cookie value to set. */
+    value: string;
+    /** Whether to set or remove (expire) this cookie. */
+    action: 'set' | 'remove';
+}
+/** Supported encryption algorithms for the SSO token. */
+export type SSOEncryptionAlgorithm = 'aes-256-gcm' | 'aes-256-ecb';
+/** Main configuration object for the SSO handler. */
+export interface SSOConfig {
+    cookies: {
+        /**
+         * Cookie security options for login.
+         * Defines httpOnly, secure, sameSite, path, domain, maxAge for each cookie.
+         * Cookie names and values come from the encrypted payload.
+         */
+        login: SSOCookieConfig[];
+        /**
+         * Cookie names to delete when `action=logout`.
+         * They are expired by setting `Max-Age=0`.
+         */
+        logout: string[];
+    };
+    /**
+     * AES-256-GCM encryption key.
+     * Must match the `encryption_key` retailer config on the API side.
+     * The `token` query param is decrypted using this key to get the cookie payload.
+     */
+    encryptionKey: string;
+    /**
+     * Encryption algorithm used for the `token` query parameter.
+     * - `'aes-256-gcm'` (default): Web Crypto API — works everywhere.
+     * - `'aes-256-ecb'`: Node.js `crypto` module — requires Node.js runtime.
+     * @default 'aes-256-gcm'
+     */
+    encryptionAlgorithm?: SSOEncryptionAlgorithm;
+    /**
+     * Optional list of allowed origins for CORS.
+     * When provided, the handler adds `Access-Control-Allow-Origin` for matching origins.
+     * Supports exact strings or RegExp patterns.
+     * @default [] (no CORS headers)
+     */
+    allowedOrigins?: (string | RegExp)[];
+    /**
+     * Optional callback fired after cookies are set/deleted, before the response is returned.
+     * Useful for side-effects like logging or analytics.
+     */
+    onComplete?: (action: 'login' | 'logout', request: Request) => void | Promise<void>;
+}
+/**
+ * Create a SSO route handler.
+ *
+ * Returns an object with a `GET` method compatible with the Web standard
+ * `Request → Response` signature (Next.js App Router, etc.).
+ *
+ * Query parameters:
+ * - `token`  — encrypted cookie payload, base64-encoded (required for login)
+ * - `action` — `"login"` or `"logout"` (required)
+ */
+export declare function createSSOHandler(config: SSOConfig): {
+    GET: (request: Request) => Response | Promise<Response>;
+};
+export default createSSOHandler;
+//# sourceMappingURL=index.d.ts.map

package/dist/esm/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAMH,yDAAyD;AACzD,MAAM,WAAW,eAAe;IAC9B,gDAAgD;IAChD,IAAI,EAAE,MAAM,CAAC;IACb,sEAAsE;IACtE,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,iDAAiD;IACjD,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,yCAAyC;IACzC,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IACrC,gCAAgC;IAChC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qFAAqF;IACrF,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,uDAAuD;IACvD,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,8EAA8E;IAC9E,IAAI,EAAE,MAAM,CAAC;IACb,2BAA2B;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,qDAAqD;IACrD,MAAM,EAAE,KAAK,GAAG,QAAQ,CAAC;CAC1B;AAED,yDAAyD;AACzD,MAAM,MAAM,sBAAsB,GAAG,aAAa,GAAG,aAAa,CAAC;AAEnE,qDAAqD;AACrD,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE;QACP;;;;WAIG;QACH,KAAK,EAAE,eAAe,EAAE,CAAC;QACzB;;;WAGG;QACH,MAAM,EAAE,MAAM,EAAE,CAAC;KAClB,CAAC;IACF;;;;OAIG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB;;;;;OAKG;IACH,mBAAmB,CAAC,EAAE,sBAAsB,CAAC;IAC7C;;;;;OAKG;IACH,cAAc,CAAC,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC;IACrC;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,GAAG,QAAQ,EAAE,OAAO,EAAE,OAAO,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACrF;AAmMD;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,SAAS,GAAG;IACnD,GAAG,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACzD,CAqGA;AAGD,eAAe,gBAAgB,CAAC"}

package/dist/esm/index.js ADDED Viewed

@@ -0,0 +1,284 @@
+/**
+ * @tapbuy-public/sso
+ *
+ * Framework-agnostic SSO handler for Tapbuy checkout.
+ * Decrypts an encrypted cookie payload and sets/deletes cookies accordingly.
+ *
+ * Works with any framework that uses the Web standard Request/Response API:
+ * Next.js (App Router), Nuxt, Remix, Deno, Bun, Cloudflare Workers, etc.
+ *
+ * Supported encryption algorithms:
+ * - **AES-256-GCM** (default): uses Web Crypto API — works everywhere.
+ * - **AES-256-ECB**: uses Node.js `crypto` module — requires Node.js runtime.
+ *
+ * The `token` query parameter contains an encrypted JSON payload
+ * describing which cookies to set/remove and their values.
+ * The encryption key must match the retailer's `encryption_key` on the API side.
+ *
+ * @example
+ * // Next.js — app/api/tapbuy-sso/route.ts
+ * import { createSSOHandler } from '@tapbuy-public/sso'
+ *
+ * export const { GET } = createSSOHandler({
+ *   cookies: {
+ *     login: [
+ *       { name: 'userId', httpOnly: true, path: '/', domain: '.example.com' },
+ *     ],
+ *     logout: ['userId'],
+ *   },
+ *   encryptionKey: process.env.TAPBUY_SSO_ENCRYPTION_KEY!,
+ *   // encryptionAlgorithm: 'aes-256-ecb', // optional, default is 'aes-256-gcm'
+ * })
+ */
+// ---------------------------------------------------------------------------
+// 1x1 transparent GIF
+// ---------------------------------------------------------------------------
+/** Minimal 1×1 transparent GIF (43 bytes). */
+const TRANSPARENT_GIF = new Uint8Array([
+    0x47, 0x49, 0x46, 0x38, 0x39, 0x61, // GIF89a
+    0x01, 0x00, 0x01, 0x00, // 1×1
+    0x80, 0x00, 0x00, // GCT flag, 2 colors
+    0x00, 0x00, 0x00, // color 0: black
+    0xff, 0xff, 0xff, // color 1: white
+    0x21, 0xf9, 0x04, // GCE
+    0x01, 0x00, 0x00, 0x00, 0x00, // transparent index 0
+    0x2c, // image descriptor
+    0x00, 0x00, 0x00, 0x00, // left, top
+    0x01, 0x00, 0x01, 0x00, // width, height
+    0x00, // packed byte
+    0x02, 0x02, 0x44, 0x01, 0x00, // LZW min code size + data
+    0x3b, // trailer
+]);
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function serializeCookie(name, value, options) {
+    const parts = [`${encodeURIComponent(name)}=${encodeURIComponent(value)}`];
+    if (options.path)
+        parts.push(`Path=${options.path}`);
+    if (options.domain)
+        parts.push(`Domain=${options.domain}`);
+    if (options.maxAge !== undefined)
+        parts.push(`Max-Age=${options.maxAge}`);
+    if (options.secure)
+        parts.push('Secure');
+    if (options.httpOnly)
+        parts.push('HttpOnly');
+    if (options.sameSite)
+        parts.push(`SameSite=${options.sameSite}`);
+    return parts.join('; ');
+}
+function matchesOrigin(origin, allowed) {
+    return allowed.some((pattern) => {
+        if (typeof pattern === 'string')
+            return origin === pattern;
+        pattern.lastIndex = 0;
+        return pattern.test(origin);
+    });
+}
+const VALID_ACTIONS = new Set(['set', 'remove']);
+function isValidPayload(payload) {
+    if (!Array.isArray(payload))
+        return false;
+    return payload.every((item) => item != null &&
+        typeof item === 'object' &&
+        typeof item.name === 'string' &&
+        typeof item.value === 'string' &&
+        VALID_ACTIONS.has(item.action));
+}
+// ---------------------------------------------------------------------------
+// Encrypted mode helpers
+// ---------------------------------------------------------------------------
+/**
+ * Decrypt an AES-256-GCM encrypted payload.
+ *
+ * The encrypted data format (matching PHP `encodeCartKey`):
+ *   base64( iv[12 bytes] + tag[16 bytes] + cipherText )
+ *
+ * Web Crypto API expects: cipherText + tag (tag appended at the end).
+ *
+ * @param encryptedBase64 - Base64-encoded encrypted string from the `token` query param.
+ * @param encryptionKey   - Shared secret key (will be padded/truncated to 32 bytes).
+ * @returns Parsed array of cookie payload items.
+ */
+async function decryptPayload(encryptedBase64, encryptionKey) {
+    // Pad/truncate key to 32 bytes — matches PHP: substr(str_pad($key, 32, "\0"), 0, 32)
+    const keyBytes = new Uint8Array(32);
+    const encoder = new TextEncoder();
+    const rawKey = encoder.encode(encryptionKey);
+    keyBytes.set(rawKey.subarray(0, 32));
+    // Decode base64
+    const binaryStr = atob(encryptedBase64);
+    const data = new Uint8Array(binaryStr.length);
+    for (let i = 0; i < binaryStr.length; i++) {
+        data[i] = binaryStr.charCodeAt(i);
+    }
+    // PHP format: iv(12) + tag(16) + cipherText
+    const iv = data.slice(0, 12);
+    const tag = data.slice(12, 28);
+    const cipherText = data.slice(28);
+    // Web Crypto expects: cipherText + tag (tag appended)
+    const combined = new Uint8Array(cipherText.length + tag.length);
+    combined.set(cipherText);
+    combined.set(tag, cipherText.length);
+    // Import key
+    const cryptoKey = await globalThis.crypto.subtle.importKey('raw', keyBytes, { name: 'AES-GCM' }, false, ['decrypt']);
+    // Decrypt
+    const decrypted = await globalThis.crypto.subtle.decrypt({ name: 'AES-GCM', iv, tagLength: 128 }, cryptoKey, combined);
+    const jsonStr = new TextDecoder().decode(decrypted);
+    return JSON.parse(jsonStr);
+}
+/**
+ * Decrypt an AES-256-ECB encrypted payload.
+ *
+ * ECB mode is not supported by the Web Crypto API, so this uses the Node.js
+ * `crypto` module. Works in Next.js, Nuxt, Remix, Deno, and Bun.
+ *
+ * The encrypted data format (matching PHP `phpseclib` AES ECB with PKCS7 padding):
+ *   base64( AES-256-ECB-PKCS7(json) )
+ *
+ * @param encryptedBase64 - Base64-encoded encrypted string from the `token` query param.
+ * @param encryptionKey   - Shared secret key (will be padded/truncated to 32 bytes).
+ * @returns Parsed array of cookie payload items.
+ */
+async function decryptPayloadECB(encryptedBase64, encryptionKey) {
+    // Pad/truncate key to 32 bytes — matches PHP: substr(str_pad($key, 32, "\0"), 0, 32)
+    const keyBytes = new Uint8Array(32);
+    const encoder = new TextEncoder();
+    const rawKey = encoder.encode(encryptionKey);
+    keyBytes.set(rawKey.subarray(0, 32));
+    // Decode base64
+    const binaryStr = atob(encryptedBase64);
+    const data = new Uint8Array(binaryStr.length);
+    for (let i = 0; i < binaryStr.length; i++) {
+        data[i] = binaryStr.charCodeAt(i);
+    }
+    // ECB mode is not supported by Web Crypto API.
+    // Use Node.js crypto module (available in Next.js, Nuxt, Remix, Deno, Bun).
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    let nodeCrypto;
+    try {
+        nodeCrypto = await import('crypto');
+    }
+    catch (_a) {
+        throw new Error('AES-256-ECB requires the Node.js crypto module. ' +
+            'Use AES-256-GCM for environments without Node.js (e.g. Cloudflare Workers).');
+    }
+    const decipher = nodeCrypto.createDecipheriv('aes-256-ecb', keyBytes, null);
+    const part1 = decipher.update(data);
+    const part2 = decipher.final();
+    const result = new Uint8Array(part1.length + part2.length);
+    result.set(part1);
+    result.set(part2, part1.length);
+    const jsonStr = new TextDecoder().decode(result);
+    return JSON.parse(jsonStr);
+}
+// ---------------------------------------------------------------------------
+// Handler factory
+// ---------------------------------------------------------------------------
+/**
+ * Create a SSO route handler.
+ *
+ * Returns an object with a `GET` method compatible with the Web standard
+ * `Request → Response` signature (Next.js App Router, etc.).
+ *
+ * Query parameters:
+ * - `token`  — encrypted cookie payload, base64-encoded (required for login)
+ * - `action` — `"login"` or `"logout"` (required)
+ */
+export function createSSOHandler(config) {
+    const { cookies, encryptionKey, encryptionAlgorithm = 'aes-256-gcm', allowedOrigins = [], onComplete } = config;
+    async function GET(request) {
+        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o;
+        const url = new URL(request.url);
+        const token = url.searchParams.get('token');
+        const action = url.searchParams.get('action');
+        // Build common response headers
+        const headers = new Headers({
+            'Content-Type': 'image/gif',
+            'Cache-Control': 'no-store, no-cache, must-revalidate, private',
+            'Pragma': 'no-cache',
+        });
+        // CORS — only if an origin matches the allow-list
+        const origin = request.headers.get('Origin');
+        if (origin && allowedOrigins.length > 0 && matchesOrigin(origin, allowedOrigins)) {
+            headers.set('Access-Control-Allow-Origin', origin);
+            headers.set('Access-Control-Allow-Credentials', 'true');
+        }
+        // Validate action
+        if (action !== 'login' && action !== 'logout') {
+            return new Response(TRANSPARENT_GIF, { status: 400, headers });
+        }
+        // Login — set cookies
+        if (action === 'login') {
+            if (!token) {
+                return new Response(TRANSPARENT_GIF, { status: 400, headers });
+            }
+            // Decrypt the encrypted cookie payload
+            try {
+                const decrypt = encryptionAlgorithm === 'aes-256-ecb' ? decryptPayloadECB : decryptPayload;
+                const payload = await decrypt(token, encryptionKey);
+                if (!isValidPayload(payload)) {
+                    return new Response(TRANSPARENT_GIF, { status: 400, headers });
+                }
+                for (const item of payload) {
+                    // Only allow cookies explicitly listed in config.cookies.login
+                    const cookieCfg = cookies.login.find((c) => c.name === item.name);
+                    if (!cookieCfg)
+                        continue;
+                    if (item.action === 'set') {
+                        const serialized = serializeCookie(item.name, item.value, {
+                            httpOnly: (_a = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.httpOnly) !== null && _a !== void 0 ? _a : true,
+                            secure: (_b = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.secure) !== null && _b !== void 0 ? _b : true,
+                            sameSite: (_c = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.sameSite) !== null && _c !== void 0 ? _c : 'Lax',
+                            path: (_d = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.path) !== null && _d !== void 0 ? _d : '/',
+                            domain: cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.domain,
+                            maxAge: (_e = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.maxAge) !== null && _e !== void 0 ? _e : 86400,
+                        });
+                        headers.append('Set-Cookie', serialized);
+                    }
+                    else if (item.action === 'remove') {
+                        const serialized = serializeCookie(item.name, '', {
+                            httpOnly: (_f = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.httpOnly) !== null && _f !== void 0 ? _f : true,
+                            secure: (_g = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.secure) !== null && _g !== void 0 ? _g : true,
+                            sameSite: (_h = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.sameSite) !== null && _h !== void 0 ? _h : 'Lax',
+                            path: (_j = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.path) !== null && _j !== void 0 ? _j : '/',
+                            domain: cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.domain,
+                            maxAge: 0,
+                        });
+                        headers.append('Set-Cookie', serialized);
+                    }
+                }
+            }
+            catch (_p) {
+                // Decryption or JSON parse failed — bad token
+                return new Response(TRANSPARENT_GIF, { status: 400, headers });
+            }
+        }
+        // Logout — expire cookies
+        if (action === 'logout') {
+            for (const cookieName of cookies.logout) {
+                // Find matching login config for path/domain, or use defaults
+                const loginCfg = cookies.login.find((c) => c.name === cookieName);
+                const serialized = serializeCookie(cookieName, '', {
+                    httpOnly: (_k = loginCfg === null || loginCfg === void 0 ? void 0 : loginCfg.httpOnly) !== null && _k !== void 0 ? _k : true,
+                    secure: (_l = loginCfg === null || loginCfg === void 0 ? void 0 : loginCfg.secure) !== null && _l !== void 0 ? _l : true,
+                    sameSite: (_m = loginCfg === null || loginCfg === void 0 ? void 0 : loginCfg.sameSite) !== null && _m !== void 0 ? _m : 'Lax',
+                    path: (_o = loginCfg === null || loginCfg === void 0 ? void 0 : loginCfg.path) !== null && _o !== void 0 ? _o : '/',
+                    domain: loginCfg === null || loginCfg === void 0 ? void 0 : loginCfg.domain,
+                    maxAge: 0, // Expire immediately
+                });
+                headers.append('Set-Cookie', serialized);
+            }
+        }
+        // Optional side-effect callback
+        if (onComplete) {
+            await onComplete(action, request);
+        }
+        return new Response(TRANSPARENT_GIF, { status: 200, headers });
+    }
+    return { GET };
+}
+// Default export for convenience
+export default createSSOHandler;
+//# sourceMappingURL=index.js.map

package/dist/esm/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAkFH,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,8CAA8C;AAC9C,MAAM,eAAe,GAAG,IAAI,UAAU,CAAC;IACrC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS;IAC7C,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAc,MAAM;IAC1C,IAAI,EAAE,IAAI,EAAE,IAAI,EAAoB,qBAAqB;IACzD,IAAI,EAAE,IAAI,EAAE,IAAI,EAAoB,iBAAiB;IACrD,IAAI,EAAE,IAAI,EAAE,IAAI,EAAoB,iBAAiB;IACrD,IAAI,EAAE,IAAI,EAAE,IAAI,EAAoB,MAAM;IAC1C,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAQ,sBAAsB;IAC1D,IAAI,EAAgC,mBAAmB;IACvD,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAc,YAAY;IAChD,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAc,gBAAgB;IACpD,IAAI,EAAgC,cAAc;IAClD,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAQ,2BAA2B;IAC/D,IAAI,EAAgC,UAAU;CAC/C,CAAC,CAAC;AAEH,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,eAAe,CACtB,IAAY,EACZ,KAAa,EACb,OAOC;IAED,MAAM,KAAK,GAAa,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAErF,IAAI,OAAO,CAAC,IAAI;QAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACrD,IAAI,OAAO,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,UAAU,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3D,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,WAAW,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1E,IAAI,OAAO,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzC,IAAI,OAAO,CAAC,QAAQ;QAAE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7C,IAAI,OAAO,CAAC,QAAQ;QAAE,KAAK,CAAC,IAAI,CAAC,YAAY,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAEjE,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,aAAa,CAAC,MAAc,EAAE,OAA4B;IACjE,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;QAC9B,IAAI,OAAO,OAAO,KAAK,QAAQ;YAAE,OAAO,MAAM,KAAK,OAAO,CAAC;QAC3D,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QACtB,OAAO,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC;AAEjD,SAAS,cAAc,CAAC,OAAgB;IACtC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,OAAO,CAAC,KAAK,CAClB,CAAC,IAAI,EAAE,EAAE,CACP,IAAI,IAAI,IAAI;QACZ,OAAO,IAAI,KAAK,QAAQ;QACxB,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ;QAC7B,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;QAC9B,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CACjC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E;;;;;;;;;;;GAWG;AACH,KAAK,UAAU,cAAc,CAC3B,eAAuB,EACvB,aAAqB;IAErB,qFAAqF;IACrF,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IAC7C,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAErC,gBAAgB;IAChB,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC;IACxC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC9C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,IAAI,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACpC,CAAC;IAED,4CAA4C;IAC5C,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAElC,sDAAsD;IACtD,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;IAChE,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACzB,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;IAErC,aAAa;IACb,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CACxD,KAAK,EACL,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;IAEF,UAAU;IACV,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CACtD,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,SAAS,EAAE,GAAG,EAAE,EACvC,SAAS,EACT,QAAQ,CACT,CAAC;IAEF,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AAC7B,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,KAAK,UAAU,iBAAiB,CAC9B,eAAuB,EACvB,aAAqB;IAErB,qFAAqF;IACrF,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IAC7C,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAErC,gBAAgB;IAChB,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC;IACxC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC9C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,IAAI,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACpC,CAAC;IAED,+CAA+C;IAC/C,4EAA4E;IAC5E,8DAA8D;IAC9D,IAAI,UAAe,CAAC;IACpB,IAAI,CAAC;QACH,UAAU,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IAAC,WAAM,CAAC;QACP,MAAM,IAAI,KAAK,CACb,kDAAkD;YAChD,6EAA6E,CAChF,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,UAAU,CAAC,gBAAgB,CAAC,aAAa,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC5E,MAAM,KAAK,GAAe,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAChD,MAAM,KAAK,GAAe,QAAQ,CAAC,KAAK,EAAE,CAAC;IAE3C,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;IAC3D,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAClB,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAEhC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAiB;IAGhD,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,mBAAmB,GAAG,aAAa,EAAE,cAAc,GAAG,EAAE,EAAE,UAAU,EAAE,GAAG,MAAM,CAAC;IAEhH,KAAK,UAAU,GAAG,CAAC,OAAgB;;QACjC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAA8B,CAAC;QAE3E,gCAAgC;QAChC,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC;YAC1B,cAAc,EAAE,WAAW;YAC3B,eAAe,EAAE,8CAA8C;YAC/D,QAAQ,EAAE,UAAU;SACrB,CAAC,CAAC;QAEH,kDAAkD;QAClD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7C,IAAI,MAAM,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,aAAa,CAAC,MAAM,EAAE,cAAc,CAAC,EAAE,CAAC;YACjF,OAAO,CAAC,GAAG,CAAC,6BAA6B,EAAE,MAAM,CAAC,CAAC;YACnD,OAAO,CAAC,GAAG,CAAC,kCAAkC,EAAE,MAAM,CAAC,CAAC;QAC1D,CAAC;QAED,kBAAkB;QAClB,IAAI,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC9C,OAAO,IAAI,QAAQ,CAAC,eAAe,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;QACjE,CAAC;QAED,sBAAsB;QACtB,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACvB,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,IAAI,QAAQ,CAAC,eAAe,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;YACjE,CAAC;YAED,uCAAuC;YACvC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,mBAAmB,KAAK,aAAa,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,cAAc,CAAC;gBAC3F,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;gBAEpD,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC7B,OAAO,IAAI,QAAQ,CAAC,eAAe,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;gBACjE,CAAC;gBAED,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;oBAC3B,+DAA+D;oBAC/D,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,CAAC;oBAClE,IAAI,CAAC,SAAS;wBAAE,SAAS;oBAEzB,IAAI,IAAI,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;wBAC1B,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE;4BACxD,QAAQ,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,QAAQ,mCAAI,IAAI;4BACrC,MAAM,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,MAAM,mCAAI,IAAI;4BACjC,QAAQ,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,QAAQ,mCAAI,KAAK;4BACtC,IAAI,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,IAAI,mCAAI,GAAG;4BAC5B,MAAM,EAAE,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,MAAM;4BACzB,MAAM,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,MAAM,mCAAI,KAAK;yBACnC,CAAC,CAAC;wBACH,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;oBAC3C,CAAC;yBAAM,IAAI,IAAI,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;wBACpC,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE;4BAChD,QAAQ,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,QAAQ,mCAAI,IAAI;4BACrC,MAAM,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,MAAM,mCAAI,IAAI;4BACjC,QAAQ,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,QAAQ,mCAAI,KAAK;4BACtC,IAAI,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,IAAI,mCAAI,GAAG;4BAC5B,MAAM,EAAE,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,MAAM;4BACzB,MAAM,EAAE,CAAC;yBACV,CAAC,CAAC;wBACH,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;oBAC3C,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,WAAM,CAAC;gBACP,8CAA8C;gBAC9C,OAAO,IAAI,QAAQ,CAAC,eAAe,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;YACjE,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,KAAK,MAAM,UAAU,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACxC,8DAA8D;gBAC9D,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;gBAClE,MAAM,UAAU,GAAG,eAAe,CAAC,UAAU,EAAE,EAAE,EAAE;oBACjD,QAAQ,EAAE,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,QAAQ,mCAAI,IAAI;oBACpC,MAAM,EAAE,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,MAAM,mCAAI,IAAI;oBAChC,QAAQ,EAAE,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,QAAQ,mCAAI,KAAK;oBACrC,IAAI,EAAE,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,IAAI,mCAAI,GAAG;oBAC3B,MAAM,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,MAAM;oBACxB,MAAM,EAAE,CAAC,EAAE,qBAAqB;iBACjC,CAAC,CAAC;gBACH,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;QAED,gCAAgC;QAChC,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,UAAU,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACpC,CAAC;QAED,OAAO,IAAI,QAAQ,CAAC,eAAe,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,OAAO,EAAE,GAAG,EAAE,CAAC;AACjB,CAAC;AAED,iCAAiC;AACjC,eAAe,gBAAgB,CAAC"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,119 @@
+/**
+ * @tapbuy-public/sso
+ *
+ * Framework-agnostic SSO handler for Tapbuy checkout.
+ * Decrypts an encrypted cookie payload and sets/deletes cookies accordingly.
+ *
+ * Works with any framework that uses the Web standard Request/Response API:
+ * Next.js (App Router), Nuxt, Remix, Deno, Bun, Cloudflare Workers, etc.
+ *
+ * Supported encryption algorithms:
+ * - **AES-256-GCM** (default): uses Web Crypto API — works everywhere.
+ * - **AES-256-ECB**: uses Node.js `crypto` module — requires Node.js runtime.
+ *
+ * The `token` query parameter contains an encrypted JSON payload
+ * describing which cookies to set/remove and their values.
+ * The encryption key must match the retailer's `encryption_key` on the API side.
+ *
+ * @example
+ * // Next.js — app/api/tapbuy-sso/route.ts
+ * import { createSSOHandler } from '@tapbuy-public/sso'
+ *
+ * export const { GET } = createSSOHandler({
+ *   cookies: {
+ *     login: [
+ *       { name: 'userId', httpOnly: true, path: '/', domain: '.example.com' },
+ *     ],
+ *     logout: ['userId'],
+ *   },
+ *   encryptionKey: process.env.TAPBUY_SSO_ENCRYPTION_KEY!,
+ *   // encryptionAlgorithm: 'aes-256-ecb', // optional, default is 'aes-256-gcm'
+ * })
+ */
+/** Configuration for a single cookie to set on login. */
+export interface SSOCookieConfig {
+    /** Cookie name (e.g. "userId", "userToken"). */
+    name: string;
+    /** Whether the cookie is inaccessible to JavaScript. @default true */
+    httpOnly?: boolean;
+    /** Only send cookie over HTTPS. @default true */
+    secure?: boolean;
+    /** SameSite attribute. @default "Lax" */
+    sameSite?: 'Strict' | 'Lax' | 'None';
+    /** Cookie path. @default "/" */
+    path?: string;
+    /** Cookie domain (e.g. ".website.com"). If omitted, defaults to the request host. */
+    domain?: string;
+    /** Cookie max-age in seconds. @default 86400 (24 h) */
+    maxAge?: number;
+}
+/**
+ * A single cookie operation from the encrypted payload.
+ * The API builds an array of these, encrypts it, and passes it as the `token` query param.
+ */
+export interface SSOCookiePayloadItem {
+    /** Cookie name. Must match a name in `cookies.login` for security options. */
+    name: string;
+    /** Cookie value to set. */
+    value: string;
+    /** Whether to set or remove (expire) this cookie. */
+    action: 'set' | 'remove';
+}
+/** Supported encryption algorithms for the SSO token. */
+export type SSOEncryptionAlgorithm = 'aes-256-gcm' | 'aes-256-ecb';
+/** Main configuration object for the SSO handler. */
+export interface SSOConfig {
+    cookies: {
+        /**
+         * Cookie security options for login.
+         * Defines httpOnly, secure, sameSite, path, domain, maxAge for each cookie.
+         * Cookie names and values come from the encrypted payload.
+         */
+        login: SSOCookieConfig[];
+        /**
+         * Cookie names to delete when `action=logout`.
+         * They are expired by setting `Max-Age=0`.
+         */
+        logout: string[];
+    };
+    /**
+     * AES-256-GCM encryption key.
+     * Must match the `encryption_key` retailer config on the API side.
+     * The `token` query param is decrypted using this key to get the cookie payload.
+     */
+    encryptionKey: string;
+    /**
+     * Encryption algorithm used for the `token` query parameter.
+     * - `'aes-256-gcm'` (default): Web Crypto API — works everywhere.
+     * - `'aes-256-ecb'`: Node.js `crypto` module — requires Node.js runtime.
+     * @default 'aes-256-gcm'
+     */
+    encryptionAlgorithm?: SSOEncryptionAlgorithm;
+    /**
+     * Optional list of allowed origins for CORS.
+     * When provided, the handler adds `Access-Control-Allow-Origin` for matching origins.
+     * Supports exact strings or RegExp patterns.
+     * @default [] (no CORS headers)
+     */
+    allowedOrigins?: (string | RegExp)[];
+    /**
+     * Optional callback fired after cookies are set/deleted, before the response is returned.
+     * Useful for side-effects like logging or analytics.
+     */
+    onComplete?: (action: 'login' | 'logout', request: Request) => void | Promise<void>;
+}
+/**
+ * Create a SSO route handler.
+ *
+ * Returns an object with a `GET` method compatible with the Web standard
+ * `Request → Response` signature (Next.js App Router, etc.).
+ *
+ * Query parameters:
+ * - `token`  — encrypted cookie payload, base64-encoded (required for login)
+ * - `action` — `"login"` or `"logout"` (required)
+ */
+export declare function createSSOHandler(config: SSOConfig): {
+    GET: (request: Request) => Response | Promise<Response>;
+};
+export default createSSOHandler;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAMH,yDAAyD;AACzD,MAAM,WAAW,eAAe;IAC9B,gDAAgD;IAChD,IAAI,EAAE,MAAM,CAAC;IACb,sEAAsE;IACtE,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,iDAAiD;IACjD,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,yCAAyC;IACzC,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IACrC,gCAAgC;IAChC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qFAAqF;IACrF,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,uDAAuD;IACvD,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,8EAA8E;IAC9E,IAAI,EAAE,MAAM,CAAC;IACb,2BAA2B;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,qDAAqD;IACrD,MAAM,EAAE,KAAK,GAAG,QAAQ,CAAC;CAC1B;AAED,yDAAyD;AACzD,MAAM,MAAM,sBAAsB,GAAG,aAAa,GAAG,aAAa,CAAC;AAEnE,qDAAqD;AACrD,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE;QACP;;;;WAIG;QACH,KAAK,EAAE,eAAe,EAAE,CAAC;QACzB;;;WAGG;QACH,MAAM,EAAE,MAAM,EAAE,CAAC;KAClB,CAAC;IACF;;;;OAIG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB;;;;;OAKG;IACH,mBAAmB,CAAC,EAAE,sBAAsB,CAAC;IAC7C;;;;;OAKG;IACH,cAAc,CAAC,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC;IACrC;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,GAAG,QAAQ,EAAE,OAAO,EAAE,OAAO,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACrF;AAmMD;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,SAAS,GAAG;IACnD,GAAG,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACzD,CAqGA;AAGD,eAAe,gBAAgB,CAAC"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,320 @@
+"use strict";
+/**
+ * @tapbuy-public/sso
+ *
+ * Framework-agnostic SSO handler for Tapbuy checkout.
+ * Decrypts an encrypted cookie payload and sets/deletes cookies accordingly.
+ *
+ * Works with any framework that uses the Web standard Request/Response API:
+ * Next.js (App Router), Nuxt, Remix, Deno, Bun, Cloudflare Workers, etc.
+ *
+ * Supported encryption algorithms:
+ * - **AES-256-GCM** (default): uses Web Crypto API — works everywhere.
+ * - **AES-256-ECB**: uses Node.js `crypto` module — requires Node.js runtime.
+ *
+ * The `token` query parameter contains an encrypted JSON payload
+ * describing which cookies to set/remove and their values.
+ * The encryption key must match the retailer's `encryption_key` on the API side.
+ *
+ * @example
+ * // Next.js — app/api/tapbuy-sso/route.ts
+ * import { createSSOHandler } from '@tapbuy-public/sso'
+ *
+ * export const { GET } = createSSOHandler({
+ *   cookies: {
+ *     login: [
+ *       { name: 'userId', httpOnly: true, path: '/', domain: '.example.com' },
+ *     ],
+ *     logout: ['userId'],
+ *   },
+ *   encryptionKey: process.env.TAPBUY_SSO_ENCRYPTION_KEY!,
+ *   // encryptionAlgorithm: 'aes-256-ecb', // optional, default is 'aes-256-gcm'
+ * })
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSSOHandler = createSSOHandler;
+// ---------------------------------------------------------------------------
+// 1x1 transparent GIF
+// ---------------------------------------------------------------------------
+/** Minimal 1×1 transparent GIF (43 bytes). */
+const TRANSPARENT_GIF = new Uint8Array([
+    0x47, 0x49, 0x46, 0x38, 0x39, 0x61, // GIF89a
+    0x01, 0x00, 0x01, 0x00, // 1×1
+    0x80, 0x00, 0x00, // GCT flag, 2 colors
+    0x00, 0x00, 0x00, // color 0: black
+    0xff, 0xff, 0xff, // color 1: white
+    0x21, 0xf9, 0x04, // GCE
+    0x01, 0x00, 0x00, 0x00, 0x00, // transparent index 0
+    0x2c, // image descriptor
+    0x00, 0x00, 0x00, 0x00, // left, top
+    0x01, 0x00, 0x01, 0x00, // width, height
+    0x00, // packed byte
+    0x02, 0x02, 0x44, 0x01, 0x00, // LZW min code size + data
+    0x3b, // trailer
+]);
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function serializeCookie(name, value, options) {
+    const parts = [`${encodeURIComponent(name)}=${encodeURIComponent(value)}`];
+    if (options.path)
+        parts.push(`Path=${options.path}`);
+    if (options.domain)
+        parts.push(`Domain=${options.domain}`);
+    if (options.maxAge !== undefined)
+        parts.push(`Max-Age=${options.maxAge}`);
+    if (options.secure)
+        parts.push('Secure');
+    if (options.httpOnly)
+        parts.push('HttpOnly');
+    if (options.sameSite)
+        parts.push(`SameSite=${options.sameSite}`);
+    return parts.join('; ');
+}
+function matchesOrigin(origin, allowed) {
+    return allowed.some((pattern) => {
+        if (typeof pattern === 'string')
+            return origin === pattern;
+        pattern.lastIndex = 0;
+        return pattern.test(origin);
+    });
+}
+const VALID_ACTIONS = new Set(['set', 'remove']);
+function isValidPayload(payload) {
+    if (!Array.isArray(payload))
+        return false;
+    return payload.every((item) => item != null &&
+        typeof item === 'object' &&
+        typeof item.name === 'string' &&
+        typeof item.value === 'string' &&
+        VALID_ACTIONS.has(item.action));
+}
+// ---------------------------------------------------------------------------
+// Encrypted mode helpers
+// ---------------------------------------------------------------------------
+/**
+ * Decrypt an AES-256-GCM encrypted payload.
+ *
+ * The encrypted data format (matching PHP `encodeCartKey`):
+ *   base64( iv[12 bytes] + tag[16 bytes] + cipherText )
+ *
+ * Web Crypto API expects: cipherText + tag (tag appended at the end).
+ *
+ * @param encryptedBase64 - Base64-encoded encrypted string from the `token` query param.
+ * @param encryptionKey   - Shared secret key (will be padded/truncated to 32 bytes).
+ * @returns Parsed array of cookie payload items.
+ */
+async function decryptPayload(encryptedBase64, encryptionKey) {
+    // Pad/truncate key to 32 bytes — matches PHP: substr(str_pad($key, 32, "\0"), 0, 32)
+    const keyBytes = new Uint8Array(32);
+    const encoder = new TextEncoder();
+    const rawKey = encoder.encode(encryptionKey);
+    keyBytes.set(rawKey.subarray(0, 32));
+    // Decode base64
+    const binaryStr = atob(encryptedBase64);
+    const data = new Uint8Array(binaryStr.length);
+    for (let i = 0; i < binaryStr.length; i++) {
+        data[i] = binaryStr.charCodeAt(i);
+    }
+    // PHP format: iv(12) + tag(16) + cipherText
+    const iv = data.slice(0, 12);
+    const tag = data.slice(12, 28);
+    const cipherText = data.slice(28);
+    // Web Crypto expects: cipherText + tag (tag appended)
+    const combined = new Uint8Array(cipherText.length + tag.length);
+    combined.set(cipherText);
+    combined.set(tag, cipherText.length);
+    // Import key
+    const cryptoKey = await globalThis.crypto.subtle.importKey('raw', keyBytes, { name: 'AES-GCM' }, false, ['decrypt']);
+    // Decrypt
+    const decrypted = await globalThis.crypto.subtle.decrypt({ name: 'AES-GCM', iv, tagLength: 128 }, cryptoKey, combined);
+    const jsonStr = new TextDecoder().decode(decrypted);
+    return JSON.parse(jsonStr);
+}
+/**
+ * Decrypt an AES-256-ECB encrypted payload.
+ *
+ * ECB mode is not supported by the Web Crypto API, so this uses the Node.js
+ * `crypto` module. Works in Next.js, Nuxt, Remix, Deno, and Bun.
+ *
+ * The encrypted data format (matching PHP `phpseclib` AES ECB with PKCS7 padding):
+ *   base64( AES-256-ECB-PKCS7(json) )
+ *
+ * @param encryptedBase64 - Base64-encoded encrypted string from the `token` query param.
+ * @param encryptionKey   - Shared secret key (will be padded/truncated to 32 bytes).
+ * @returns Parsed array of cookie payload items.
+ */
+async function decryptPayloadECB(encryptedBase64, encryptionKey) {
+    // Pad/truncate key to 32 bytes — matches PHP: substr(str_pad($key, 32, "\0"), 0, 32)
+    const keyBytes = new Uint8Array(32);
+    const encoder = new TextEncoder();
+    const rawKey = encoder.encode(encryptionKey);
+    keyBytes.set(rawKey.subarray(0, 32));
+    // Decode base64
+    const binaryStr = atob(encryptedBase64);
+    const data = new Uint8Array(binaryStr.length);
+    for (let i = 0; i < binaryStr.length; i++) {
+        data[i] = binaryStr.charCodeAt(i);
+    }
+    // ECB mode is not supported by Web Crypto API.
+    // Use Node.js crypto module (available in Next.js, Nuxt, Remix, Deno, Bun).
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    let nodeCrypto;
+    try {
+        nodeCrypto = await Promise.resolve().then(() => __importStar(require('crypto')));
+    }
+    catch (_a) {
+        throw new Error('AES-256-ECB requires the Node.js crypto module. ' +
+            'Use AES-256-GCM for environments without Node.js (e.g. Cloudflare Workers).');
+    }
+    const decipher = nodeCrypto.createDecipheriv('aes-256-ecb', keyBytes, null);
+    const part1 = decipher.update(data);
+    const part2 = decipher.final();
+    const result = new Uint8Array(part1.length + part2.length);
+    result.set(part1);
+    result.set(part2, part1.length);
+    const jsonStr = new TextDecoder().decode(result);
+    return JSON.parse(jsonStr);
+}
+// ---------------------------------------------------------------------------
+// Handler factory
+// ---------------------------------------------------------------------------
+/**
+ * Create a SSO route handler.
+ *
+ * Returns an object with a `GET` method compatible with the Web standard
+ * `Request → Response` signature (Next.js App Router, etc.).
+ *
+ * Query parameters:
+ * - `token`  — encrypted cookie payload, base64-encoded (required for login)
+ * - `action` — `"login"` or `"logout"` (required)
+ */
+function createSSOHandler(config) {
+    const { cookies, encryptionKey, encryptionAlgorithm = 'aes-256-gcm', allowedOrigins = [], onComplete } = config;
+    async function GET(request) {
+        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o;
+        const url = new URL(request.url);
+        const token = url.searchParams.get('token');
+        const action = url.searchParams.get('action');
+        // Build common response headers
+        const headers = new Headers({
+            'Content-Type': 'image/gif',
+            'Cache-Control': 'no-store, no-cache, must-revalidate, private',
+            'Pragma': 'no-cache',
+        });
+        // CORS — only if an origin matches the allow-list
+        const origin = request.headers.get('Origin');
+        if (origin && allowedOrigins.length > 0 && matchesOrigin(origin, allowedOrigins)) {
+            headers.set('Access-Control-Allow-Origin', origin);
+            headers.set('Access-Control-Allow-Credentials', 'true');
+        }
+        // Validate action
+        if (action !== 'login' && action !== 'logout') {
+            return new Response(TRANSPARENT_GIF, { status: 400, headers });
+        }
+        // Login — set cookies
+        if (action === 'login') {
+            if (!token) {
+                return new Response(TRANSPARENT_GIF, { status: 400, headers });
+            }
+            // Decrypt the encrypted cookie payload
+            try {
+                const decrypt = encryptionAlgorithm === 'aes-256-ecb' ? decryptPayloadECB : decryptPayload;
+                const payload = await decrypt(token, encryptionKey);
+                if (!isValidPayload(payload)) {
+                    return new Response(TRANSPARENT_GIF, { status: 400, headers });
+                }
+                for (const item of payload) {
+                    // Only allow cookies explicitly listed in config.cookies.login
+                    const cookieCfg = cookies.login.find((c) => c.name === item.name);
+                    if (!cookieCfg)
+                        continue;
+                    if (item.action === 'set') {
+                        const serialized = serializeCookie(item.name, item.value, {
+                            httpOnly: (_a = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.httpOnly) !== null && _a !== void 0 ? _a : true,
+                            secure: (_b = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.secure) !== null && _b !== void 0 ? _b : true,
+                            sameSite: (_c = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.sameSite) !== null && _c !== void 0 ? _c : 'Lax',
+                            path: (_d = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.path) !== null && _d !== void 0 ? _d : '/',
+                            domain: cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.domain,
+                            maxAge: (_e = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.maxAge) !== null && _e !== void 0 ? _e : 86400,
+                        });
+                        headers.append('Set-Cookie', serialized);
+                    }
+                    else if (item.action === 'remove') {
+                        const serialized = serializeCookie(item.name, '', {
+                            httpOnly: (_f = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.httpOnly) !== null && _f !== void 0 ? _f : true,
+                            secure: (_g = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.secure) !== null && _g !== void 0 ? _g : true,
+                            sameSite: (_h = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.sameSite) !== null && _h !== void 0 ? _h : 'Lax',
+                            path: (_j = cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.path) !== null && _j !== void 0 ? _j : '/',
+                            domain: cookieCfg === null || cookieCfg === void 0 ? void 0 : cookieCfg.domain,
+                            maxAge: 0,
+                        });
+                        headers.append('Set-Cookie', serialized);
+                    }
+                }
+            }
+            catch (_p) {
+                // Decryption or JSON parse failed — bad token
+                return new Response(TRANSPARENT_GIF, { status: 400, headers });
+            }
+        }
+        // Logout — expire cookies
+        if (action === 'logout') {
+            for (const cookieName of cookies.logout) {
+                // Find matching login config for path/domain, or use defaults
+                const loginCfg = cookies.login.find((c) => c.name === cookieName);
+                const serialized = serializeCookie(cookieName, '', {
+                    httpOnly: (_k = loginCfg === null || loginCfg === void 0 ? void 0 : loginCfg.httpOnly) !== null && _k !== void 0 ? _k : true,
+                    secure: (_l = loginCfg === null || loginCfg === void 0 ? void 0 : loginCfg.secure) !== null && _l !== void 0 ? _l : true,
+                    sameSite: (_m = loginCfg === null || loginCfg === void 0 ? void 0 : loginCfg.sameSite) !== null && _m !== void 0 ? _m : 'Lax',
+                    path: (_o = loginCfg === null || loginCfg === void 0 ? void 0 : loginCfg.path) !== null && _o !== void 0 ? _o : '/',
+                    domain: loginCfg === null || loginCfg === void 0 ? void 0 : loginCfg.domain,
+                    maxAge: 0, // Expire immediately
+                });
+                headers.append('Set-Cookie', serialized);
+            }
+        }
+        // Optional side-effect callback
+        if (onComplete) {
+            await onComplete(action, request);
+        }
+        return new Response(TRANSPARENT_GIF, { status: 200, headers });
+    }
+    return { GET };
+}
+// Default export for convenience
+exports.default = createSSOHandler;
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6RH,4CAuGC;AAlTD,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,8CAA8C;AAC9C,MAAM,eAAe,GAAG,IAAI,UAAU,CAAC;IACrC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS;IAC7C,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAc,MAAM;IAC1C,IAAI,EAAE,IAAI,EAAE,IAAI,EAAoB,qBAAqB;IACzD,IAAI,EAAE,IAAI,EAAE,IAAI,EAAoB,iBAAiB;IACrD,IAAI,EAAE,IAAI,EAAE,IAAI,EAAoB,iBAAiB;IACrD,IAAI,EAAE,IAAI,EAAE,IAAI,EAAoB,MAAM;IAC1C,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAQ,sBAAsB;IAC1D,IAAI,EAAgC,mBAAmB;IACvD,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAc,YAAY;IAChD,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAc,gBAAgB;IACpD,IAAI,EAAgC,cAAc;IAClD,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAQ,2BAA2B;IAC/D,IAAI,EAAgC,UAAU;CAC/C,CAAC,CAAC;AAEH,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,eAAe,CACtB,IAAY,EACZ,KAAa,EACb,OAOC;IAED,MAAM,KAAK,GAAa,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAErF,IAAI,OAAO,CAAC,IAAI;QAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACrD,IAAI,OAAO,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,UAAU,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3D,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,WAAW,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1E,IAAI,OAAO,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzC,IAAI,OAAO,CAAC,QAAQ;QAAE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7C,IAAI,OAAO,CAAC,QAAQ;QAAE,KAAK,CAAC,IAAI,CAAC,YAAY,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAEjE,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,aAAa,CAAC,MAAc,EAAE,OAA4B;IACjE,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;QAC9B,IAAI,OAAO,OAAO,KAAK,QAAQ;YAAE,OAAO,MAAM,KAAK,OAAO,CAAC;QAC3D,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QACtB,OAAO,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC;AAEjD,SAAS,cAAc,CAAC,OAAgB;IACtC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,OAAO,CAAC,KAAK,CAClB,CAAC,IAAI,EAAE,EAAE,CACP,IAAI,IAAI,IAAI;QACZ,OAAO,IAAI,KAAK,QAAQ;QACxB,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ;QAC7B,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;QAC9B,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CACjC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E;;;;;;;;;;;GAWG;AACH,KAAK,UAAU,cAAc,CAC3B,eAAuB,EACvB,aAAqB;IAErB,qFAAqF;IACrF,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IAC7C,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAErC,gBAAgB;IAChB,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC;IACxC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC9C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,IAAI,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACpC,CAAC;IAED,4CAA4C;IAC5C,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAElC,sDAAsD;IACtD,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;IAChE,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACzB,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;IAErC,aAAa;IACb,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CACxD,KAAK,EACL,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;IAEF,UAAU;IACV,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CACtD,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,SAAS,EAAE,GAAG,EAAE,EACvC,SAAS,EACT,QAAQ,CACT,CAAC;IAEF,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AAC7B,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,KAAK,UAAU,iBAAiB,CAC9B,eAAuB,EACvB,aAAqB;IAErB,qFAAqF;IACrF,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IAC7C,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAErC,gBAAgB;IAChB,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC;IACxC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC9C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,IAAI,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACpC,CAAC;IAED,+CAA+C;IAC/C,4EAA4E;IAC5E,8DAA8D;IAC9D,IAAI,UAAe,CAAC;IACpB,IAAI,CAAC;QACH,UAAU,GAAG,wDAAa,QAAQ,GAAC,CAAC;IACtC,CAAC;IAAC,WAAM,CAAC;QACP,MAAM,IAAI,KAAK,CACb,kDAAkD;YAChD,6EAA6E,CAChF,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,UAAU,CAAC,gBAAgB,CAAC,aAAa,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC5E,MAAM,KAAK,GAAe,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAChD,MAAM,KAAK,GAAe,QAAQ,CAAC,KAAK,EAAE,CAAC;IAE3C,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;IAC3D,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAClB,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAEhC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E;;;;;;;;;GASG;AACH,SAAgB,gBAAgB,CAAC,MAAiB;IAGhD,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,mBAAmB,GAAG,aAAa,EAAE,cAAc,GAAG,EAAE,EAAE,UAAU,EAAE,GAAG,MAAM,CAAC;IAEhH,KAAK,UAAU,GAAG,CAAC,OAAgB;;QACjC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAA8B,CAAC;QAE3E,gCAAgC;QAChC,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC;YAC1B,cAAc,EAAE,WAAW;YAC3B,eAAe,EAAE,8CAA8C;YAC/D,QAAQ,EAAE,UAAU;SACrB,CAAC,CAAC;QAEH,kDAAkD;QAClD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7C,IAAI,MAAM,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,aAAa,CAAC,MAAM,EAAE,cAAc,CAAC,EAAE,CAAC;YACjF,OAAO,CAAC,GAAG,CAAC,6BAA6B,EAAE,MAAM,CAAC,CAAC;YACnD,OAAO,CAAC,GAAG,CAAC,kCAAkC,EAAE,MAAM,CAAC,CAAC;QAC1D,CAAC;QAED,kBAAkB;QAClB,IAAI,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC9C,OAAO,IAAI,QAAQ,CAAC,eAAe,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;QACjE,CAAC;QAED,sBAAsB;QACtB,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACvB,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,IAAI,QAAQ,CAAC,eAAe,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;YACjE,CAAC;YAED,uCAAuC;YACvC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,mBAAmB,KAAK,aAAa,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,cAAc,CAAC;gBAC3F,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;gBAEpD,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC7B,OAAO,IAAI,QAAQ,CAAC,eAAe,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;gBACjE,CAAC;gBAED,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;oBAC3B,+DAA+D;oBAC/D,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,CAAC;oBAClE,IAAI,CAAC,SAAS;wBAAE,SAAS;oBAEzB,IAAI,IAAI,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;wBAC1B,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE;4BACxD,QAAQ,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,QAAQ,mCAAI,IAAI;4BACrC,MAAM,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,MAAM,mCAAI,IAAI;4BACjC,QAAQ,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,QAAQ,mCAAI,KAAK;4BACtC,IAAI,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,IAAI,mCAAI,GAAG;4BAC5B,MAAM,EAAE,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,MAAM;4BACzB,MAAM,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,MAAM,mCAAI,KAAK;yBACnC,CAAC,CAAC;wBACH,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;oBAC3C,CAAC;yBAAM,IAAI,IAAI,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;wBACpC,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE;4BAChD,QAAQ,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,QAAQ,mCAAI,IAAI;4BACrC,MAAM,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,MAAM,mCAAI,IAAI;4BACjC,QAAQ,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,QAAQ,mCAAI,KAAK;4BACtC,IAAI,EAAE,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,IAAI,mCAAI,GAAG;4BAC5B,MAAM,EAAE,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,MAAM;4BACzB,MAAM,EAAE,CAAC;yBACV,CAAC,CAAC;wBACH,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;oBAC3C,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,WAAM,CAAC;gBACP,8CAA8C;gBAC9C,OAAO,IAAI,QAAQ,CAAC,eAAe,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;YACjE,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,KAAK,MAAM,UAAU,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACxC,8DAA8D;gBAC9D,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;gBAClE,MAAM,UAAU,GAAG,eAAe,CAAC,UAAU,EAAE,EAAE,EAAE;oBACjD,QAAQ,EAAE,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,QAAQ,mCAAI,IAAI;oBACpC,MAAM,EAAE,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,MAAM,mCAAI,IAAI;oBAChC,QAAQ,EAAE,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,QAAQ,mCAAI,KAAK;oBACrC,IAAI,EAAE,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,IAAI,mCAAI,GAAG;oBAC3B,MAAM,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,MAAM;oBACxB,MAAM,EAAE,CAAC,EAAE,qBAAqB;iBACjC,CAAC,CAAC;gBACH,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;QAED,gCAAgC;QAChC,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,UAAU,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACpC,CAAC;QAED,OAAO,IAAI,QAAQ,CAAC,eAAe,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,OAAO,EAAE,GAAG,EAAE,CAAC;AACjB,CAAC;AAED,iCAAiC;AACjC,kBAAe,gBAAgB,CAAC"}

package/package.json ADDED Viewed

@@ -0,0 +1,64 @@
+{
+  "name": "@tapbuy-public/sso",
+  "version": "1.0.0",
+  "description": "Framework-agnostic SSO handler for Tapbuy checkout — decrypts an encrypted token from a query param and sets/deletes auth cookies accordingly",
+  "main": "dist/index.js",
+  "module": "dist/esm/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "yarn clean && yarn build:cjs && yarn build:esm",
+    "build:cjs": "tsc",
+    "build:esm": "tsc --project tsconfig.esm.json --outDir dist/esm",
+    "clean": "rm -rf dist",
+    "dev": "tsc --watch",
+    "test": "jest",
+    "lint": "eslint \"**/*.ts\"",
+    "lint:fix": "eslint \"**/*.ts\" --fix",
+    "prepublishOnly": "yarn build"
+  },
+  "keywords": [
+    "sso",
+    "single-sign-on",
+    "tapbuy",
+    "checkout",
+    "auth",
+    "cookie",
+    "typescript"
+  ],
+  "author": "Tapbuy",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/tapbuy/sso.git"
+  },
+  "bugs": {
+    "url": "https://github.com/tapbuy/sso/issues"
+  },
+  "homepage": "https://github.com/tapbuy/sso#readme",
+  "engines": {
+    "node": ">=18"
+  },
+  "devDependencies": {
+    "@types/jest": "^29.5.0",
+    "@types/node": "^20.0.0",
+    "@typescript-eslint/eslint-plugin": "^8.44.1",
+    "@typescript-eslint/parser": "^8.44.1",
+    "eslint": "^8.0.0",
+    "jest": "^29.5.0",
+    "ts-jest": "^29.1.0",
+    "typescript": "^5.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/esm/index.js",
+      "require": "./dist/index.js"
+    }
+  }
+}