@telicent-oss/fe-auth-lib 0.0.1 → 1.0.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@telicent-oss/fe-auth-lib",
-  "version": "0.0.1",
+  "version": "1.0.0",
   "private": false,
   "license": "Apache-2.0",
   "description": "OAuth2 client library for Telicent Authentication Server",
@@ -50,5 +50,5 @@
   "engines": {
     "node": ">=20.19.0"
   },
-  "gitHead": "c87206544b5b218fd0f964f9b544d44c78b929fd"
+  "gitHead": "8d5a492c674cc5d8af0be2f20341655c6231397f"
 }

package/src/AuthServerOAuth2Client.d.ts

@@ -37,14 +37,14 @@ export interface UserInfo {
   email: string;
   /** Preferred display name - NOT NULL in DB */
   preferred_name: string;
-  /** Is Active - NOT NULL in DB */
-  isActive: boolean;
-  /** Groups - NOT NULL in DB */
-  groups: string[];
-  /** Roles - NOT NULL in DB */
-  roles: string[];
-  /** Permissions - NOT NULL in DB */
-  permissions: string[];
+  /** Is Active - from ID token custom claim */
+  isActive?: boolean;
+  /** Groups - optional (not present in ID token) */
+  groups?: string[];
+  /** Roles - optional (not present in ID token) */
+  roles?: string[];
+  /** Permissions - optional (not present in ID token) */
+  permissions?: string[];
   // Standard OIDC claims (always present)
   /** Token issuer URL */
   iss: string;
@@ -74,7 +74,7 @@ export interface UserInfo {
   token_expired?: boolean;
   /** Token expiration timestamp (ISO string) */
   token_expires_at?: string;
-  /** Source of user info ('id_token' or 'oauth2_userinfo_api') */
+  /** Source of user info (id_token; /userinfo removed) */
   source?: string;
   /** External identity provider details */
   externalProvider?: Record<string, unknown>;
@@ -343,22 +343,11 @@ declare class AuthServerOAuth2Client {
   getUserInfo(): UserInfo | null;
 
   /**
-   * Get fresh user info from OAuth2 userinfo endpoint
+   * Returns ID token claims; /userinfo is no longer available.
    *
-   * Fetches current user data from auth server. Slower than getUserInfo() but
-   * guarantees fresh data. Use when you need up-to-date user information.
+   * Use getUserInfo() instead. This method remains for API compatibility.
    *
-   * @returns Promise resolving to fresh user information
-   * @throws {Error} If request fails or session invalid
-   * @example
-   * ```javascript
-   * try {
-   *   const freshUserInfo = await authClient.getUserInfoFromAPI();
-   *   console.log("Fresh user data:", freshUserInfo);
-   * } catch (error) {
-   *   console.error("Failed to get fresh user info:", error);
-   * }
-   * ```
+   * @returns Promise resolving to user information or null
    */
   getUserInfoFromAPI(): Promise<UserInfo | null>;
 

package/src/AuthServerOAuth2Client.js

@@ -34,19 +34,14 @@ class AuthServerOAuth2Client {
           `Invalid AuthServerOAuth2Client configuration: ${error.message}`
         );
       }
+    } else {
+      console.warn(
+        "⚠️ AuthServerOAuth2Client instantiated with undefined config"
+      );
+      return;
     }
 
     this.config = {
-      clientId: "spa-client", // Default - should be overridden
-      authServerUrl: "http://auth.telicent.localhost",
-      redirectUri: "http://demo.telicent.localhost/callback.html", // Default - should be overridden
-      popupRedirectUri: null, // Must be provided for popup flows
-      scope: "openid email profile offline_access",
-      apiUrl: "http://api.telicent.localhost",
-      onLogout: () => {
-        window.alert("You are now logged out. Redirecting to /");
-        window.location.href = "/";
-      },
       ...config,
     };
 
@@ -424,7 +419,6 @@ class AuthServerOAuth2Client {
         const result = await response.json();
         // set auth_session_id if user is already signed in
         sessionStorage.setItem("auth_id_token", result.id_token);
-        console.log(result);
         return true;
       }
 
@@ -607,6 +601,7 @@ class AuthServerOAuth2Client {
         sub: payload.sub,
         email: payload.email,
         preferred_name: payload.preferred_name,
+        isActive: payload.isActive,
         iss: payload.iss,
         aud: payload.aud,
         exp: payload.exp,
@@ -652,25 +647,10 @@ class AuthServerOAuth2Client {
 
   // Get fresh user info from OAuth2 userinfo endpoint (UNIFIED ENDPOINT)
   async getUserInfoFromAPI() {
-    try {
-      const response = await this.makeAuthenticatedRequest(
-        `${this.config.authServerUrl}/userinfo`
-      );
-
-      if (response.ok) {
-        const data = await response.json();
-        return {
-          ...data,
-          source: this.isCrossDomain
-            ? "oauth2_userinfo_api_cross_domain"
-            : "oauth2_userinfo_api_same_domain",
-        };
-      }
-      return null;
-    } catch (error) {
-      console.error("Error getting user info from OAuth2 API:", error);
-      return null;
-    }
+    console.warn(
+      "getUserInfoFromAPI: /userinfo has been removed; returning ID token claims instead."
+    );
+    return this.getUserInfo();
   }
 
   // Get raw ID token from storage
@@ -734,9 +714,6 @@ class AuthServerOAuth2Client {
     const response = await fetch(url, requestOptions);
 
     if (response.status === 401) {
-      // QUESTION: would I ever use this method to call session check?
-      // I can only envisage scenarios where app endpoints get hit using this?
-      //
       // Don't auto-logout during callback flow or logout operations to prevent infinite loops
       const isCallbackFlow =
         options.skipAutoLogout || url.includes("/session/idtoken");

package/src/schemas.d.ts

@@ -9,6 +9,7 @@ export declare const GetUserInfoSchema: z.ZodObject<{
   sub: z.ZodString;
   email: z.ZodString;
   preferred_name: z.ZodString;
+  isActive: z.ZodOptional<z.ZodBoolean>;
 
   // Standard OIDC claims (always present)
   iss: z.ZodString;

package/src/schemas.js

@@ -4,11 +4,13 @@ let GetUserInfoSchema;
 let AuthServerOAuth2ClientConfigSchema;
 
 try {
-  if (typeof require !== 'undefined') {
-    z = require('zod').z;
+  if (typeof require !== "undefined") {
+    z = require("zod").z;
   }
 } catch (e) {
-  console.warn('Zod not available in this environment, schema validation will be disabled');
+  console.warn(
+    "Zod not available in this environment, schema validation will be disabled"
+  );
 }
 
 /**
@@ -17,64 +19,67 @@ try {
  */
 if (z) {
   GetUserInfoSchema = z.object({
-  // Core user identity (from JWTConfig.java:169-171)
-  sub: z.string(),                    // Always present
-  email: z.string().email(),          // NOT NULL in DB
-  preferred_name: z.string(),         // NOT NULL in DB
+    // Core user identity (from JWTConfig.java:169-171)
+    sub: z.string(),                    // Always present
+    email: z.string().email(),          // NOT NULL in DB
+    preferred_name: z.string(),         // NOT NULL in DB
+    isActive: z.boolean().optional(),   // Custom claim from ID token
 
-  // Standard OIDC claims (always present)
-  iss: z.string(),                    // Issuer URL
-  aud: z.string(),                    // Audience (client ID)
-  exp: z.number(),                    // Expiration timestamp
-  iat: z.number(),                    // Issued at timestamp
-  jti: z.string(),                    // JWT ID
+    // Standard OIDC claims (always present)
+    iss: z.string(), // Issuer URL
+    aud: z.string(), // Audience (client ID)
+    exp: z.number(), // Expiration timestamp
+    iat: z.number(), // Issued at timestamp
+    jti: z.string(), // JWT ID
 
-  // Optional OIDC claims (conditional)
-  nonce: z.string().optional(),       // Only if sent in auth request
-  auth_time: z.number().optional(),   // Authentication timestamp
-  sid: z.string().optional(),         // Session ID
-  azp: z.string().optional(),         // Authorized party
+    // Optional OIDC claims (conditional)
+    nonce: z.string().optional(), // Only if sent in auth request
+    auth_time: z.number().optional(), // Authentication timestamp
+    sid: z.string().optional(), // Session ID
+    azp: z.string().optional(), // Authorized party
 
-  // FE client additions (check your oauth2Client implementation)
-  name: z.string().optional(),
-  token_expired: z.boolean().optional(),
-  token_expires_at: z.string().optional(),
-  source: z.string().optional(),
-  externalProvider: z.record(z.unknown()).optional(),
+    // FE client additions (check your oauth2Client implementation)
+    name: z.string().optional(),
+    token_expired: z.boolean().optional(),
+    token_expires_at: z.string().optional(),
+    source: z.string().optional(),
+    externalProvider: z.record(z.unknown()).optional(),
   });
 
   /**
    * Zod schema for AuthServerOAuth2Client constructor config
    */
-  AuthServerOAuth2ClientConfigSchema = z.object({
-    // OAuth2 client identifier
-    clientId: z.string().optional(),
-    authServerUrl: z.string().url().optional(),
-    redirectUri: z.string().url().optional(),
-    popupRedirectUri: z.string().url().optional().nullable(),
-    scope: z.string().optional(),
-    apiUrl: z.string().url().optional(),
-    onLogout: z.function().optional(),
-  }).strict();
+  AuthServerOAuth2ClientConfigSchema = z
+    .object({
+      // OAuth2 client identifier
+      clientId: z.string(),
+      authServerUrl: z.string().url(),
+      redirectUri: z.string().url(),
+      popupRedirectUri: z.string().url(),
+      scope: z.string(),
+      onLogout: z.function(),
+    })
+    .strict();
 }
 
 // ES module and CommonJS exports
-if (typeof module !== 'undefined' && module.exports) {
+if (typeof module !== "undefined" && module.exports) {
   module.exports = {
     GetUserInfoSchema,
-    AuthServerOAuth2ClientConfigSchema
+    AuthServerOAuth2ClientConfigSchema,
   };
   module.exports.default = {
     GetUserInfoSchema,
-    AuthServerOAuth2ClientConfigSchema
+    AuthServerOAuth2ClientConfigSchema,
   };
 }
 
-if (typeof exports !== 'undefined' && typeof module === 'undefined') {
+if (typeof exports !== "undefined" && typeof module === "undefined") {
   exports.GetUserInfoSchema = GetUserInfoSchema;
-  exports.AuthServerOAuth2ClientConfigSchema = AuthServerOAuth2ClientConfigSchema;
+  exports.AuthServerOAuth2ClientConfigSchema =
+    AuthServerOAuth2ClientConfigSchema;
   exports.default = {
     GetUserInfoSchema,
-    AuthServerOAuth2ClientConfigSchema
+    AuthServerOAuth2ClientConfigSchema,
   };
 }

package/src/schemas.test.js

@@ -65,19 +65,19 @@ describe("AuthServerOAuth2ClientConfigSchema", () => {
 
     expect(results).toMatchInlineSnapshot(`
       [
-        "✓ absolute https URL",
-        "✓ absolute http URL",
-        "✓ null value",
-        "✓ omitted field",
-        "✓ all fields with absolute URLs",
-        "✗ relative slash URL in popupRedirectUri → popupRedirectUri: Invalid url",
-        "✗ relative dot-slash URL in popupRedirectUri → popupRedirectUri: Invalid url",
-        "✗ URL without protocol in popupRedirectUri → popupRedirectUri: Invalid url",
-        "✗ protocol-relative URL in popupRedirectUri → popupRedirectUri: Invalid url",
-        "✗ relative URL in authServerUrl → authServerUrl: Invalid url",
-        "✗ relative URL in redirectUri → redirectUri: Invalid url",
-        "✗ relative URL in apiUrl → apiUrl: Invalid url",
-        "✗ unknown property → root: Unrecognized key(s) in object: 'unknownProperty'",
+        "✗ absolute https URL → clientId: Required, authServerUrl: Required, redirectUri: Required, scope: Required, onLogout: Required",
+        "✗ absolute http URL → clientId: Required, authServerUrl: Required, redirectUri: Required, scope: Required, onLogout: Required",
+        "✗ null value → clientId: Required, authServerUrl: Required, redirectUri: Required, popupRedirectUri: Expected string, received null, scope: Required, onLogout: Required",
+        "✗ omitted field → authServerUrl: Required, redirectUri: Required, popupRedirectUri: Required, scope: Required, onLogout: Required",
+        "✗ all fields with absolute URLs → onLogout: Required, root: Unrecognized key(s) in object: 'apiUrl'",
+        "✗ relative slash URL in popupRedirectUri → clientId: Required, authServerUrl: Required, redirectUri: Required, popupRedirectUri: Invalid url, scope: Required, onLogout: Required",
+        "✗ relative dot-slash URL in popupRedirectUri → clientId: Required, authServerUrl: Required, redirectUri: Required, popupRedirectUri: Invalid url, scope: Required, onLogout: Required",
+        "✗ URL without protocol in popupRedirectUri → clientId: Required, authServerUrl: Required, redirectUri: Required, popupRedirectUri: Invalid url, scope: Required, onLogout: Required",
+        "✗ protocol-relative URL in popupRedirectUri → clientId: Required, authServerUrl: Required, redirectUri: Required, popupRedirectUri: Invalid url, scope: Required, onLogout: Required",
+        "✗ relative URL in authServerUrl → clientId: Required, authServerUrl: Invalid url, redirectUri: Required, popupRedirectUri: Required, scope: Required, onLogout: Required",
+        "✗ relative URL in redirectUri → clientId: Required, authServerUrl: Required, redirectUri: Invalid url, popupRedirectUri: Required, scope: Required, onLogout: Required",
+        "✗ relative URL in apiUrl → clientId: Required, authServerUrl: Required, redirectUri: Required, popupRedirectUri: Required, scope: Required, onLogout: Required, root: Unrecognized key(s) in object: 'apiUrl'",
+        "✗ unknown property → authServerUrl: Required, redirectUri: Required, popupRedirectUri: Required, scope: Required, onLogout: Required, root: Unrecognized key(s) in object: 'unknownProperty'",
       ]
     `);
   });