@thunderid/nuxt 0.0.1

package/dist/runtime/server/routes/auth/session/callback.get.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/**
+ * GET /api/auth/callback
+ *
+ * Handles the OAuth2 callback from ThunderID.
+ * Exchanges the authorization code for tokens,
+ * creates a signed session JWT cookie,
+ * and redirects to afterSignInUrl.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<void>>;
+export default _default;

package/dist/runtime/server/routes/auth/session/callback.get.js

@@ -0,0 +1,91 @@
+import { defineEventHandler, getQuery, getCookie, deleteCookie, sendRedirect, createError } from "h3";
+import ThunderIDNuxtClient from "../../../ThunderIDNuxtClient.js";
+import {
+  issueSessionCookie,
+  verifyTempSessionToken,
+  getTempSessionCookieName,
+  getTempSessionCookieOptions
+} from "../../../utils/session.js";
+import { useRuntimeConfig } from "#imports";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const sessionSecret = config.thunderid?.sessionSecret;
+  const publicConfig = config.public.thunderid;
+  const query = getQuery(event);
+  const code = query["code"];
+  const state = query["state"];
+  const sessionState = query["session_state"];
+  const error = query["error"];
+  const errorDescription = query["error_description"];
+  if (error) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: `Authentication failed: ${errorDescription || error}`
+    });
+  }
+  if (!code || !state) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Missing required OAuth parameters: code and state are required."
+    });
+  }
+  const tempSessionCookie = getCookie(event, getTempSessionCookieName());
+  if (!tempSessionCookie) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "No temporary session found. Please start the sign-in flow again."
+    });
+  }
+  let sessionId;
+  let returnTo;
+  try {
+    const tempSession = await verifyTempSessionToken(
+      tempSessionCookie,
+      sessionSecret
+    );
+    sessionId = tempSession.sessionId;
+    returnTo = tempSession.returnTo;
+  } catch {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Invalid or expired temporary session. Please start the sign-in flow again."
+    });
+  }
+  const client = ThunderIDNuxtClient.getInstance();
+  let tokenResponse;
+  try {
+    tokenResponse = await client.signIn(
+      () => {
+      },
+      // no-op redirect callback (we're handling the code exchange)
+      sessionId,
+      code,
+      sessionState || "",
+      state
+    );
+  } catch (err) {
+    throw createError({
+      data: err?.message || "An unexpected error occurred during token exchange.",
+      statusCode: 500,
+      statusMessage: "Token exchange failed."
+    });
+  }
+  if (!tokenResponse?.accessToken && !tokenResponse?.idToken) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Token exchange failed: Invalid response from Identity Provider."
+    });
+  }
+  try {
+    await issueSessionCookie(event, sessionId, tokenResponse, sessionSecret);
+    deleteCookie(event, getTempSessionCookieName(), getTempSessionCookieOptions());
+  } catch (err) {
+    console.error("[thunderid] Failed to create JWT session:", err?.message || err);
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Failed to establish session after authentication."
+    });
+  }
+  const redirectUrl = returnTo || publicConfig.afterSignInUrl || "/";
+  return sendRedirect(event, redirectUrl, 302);
+});

package/dist/runtime/server/routes/auth/session/callback.post.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/**
+ * POST /api/auth/callback
+ *
+ * Exchanges an authorization code for tokens and issues a session cookie.
+ * Called by the client-side `ThunderIDCallback` component after the IDP
+ * redirects back with `?code=...&state=...`.
+ *
+ * Request body:
+ * - `code` — authorization code from the IDP redirect
+ * - `state` — state parameter from the redirect
+ * - `sessionState` — session_state parameter from the redirect (optional)
+ *
+ * Response shape (success):
+ * ```json
+ * { "redirectUrl": "/dashboard", "success": true }
+ * ```
+ * Response shape (error):
+ * ```json
+ * { "success": false, "error": "..." }
+ * ```
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    error: any;
+    success: boolean;
+    redirectUrl?: undefined;
+} | {
+    redirectUrl: string;
+    success: boolean;
+    error?: undefined;
+}>>;
+export default _default;

package/dist/runtime/server/routes/auth/session/callback.post.js

@@ -0,0 +1,53 @@
+import { defineEventHandler, readBody, getCookie, deleteCookie, createError } from "h3";
+import ThunderIDNuxtClient from "../../../ThunderIDNuxtClient.js";
+import {
+  issueSessionCookie,
+  verifyTempSessionToken,
+  getTempSessionCookieName,
+  getTempSessionCookieOptions
+} from "../../../utils/session.js";
+import { useRuntimeConfig } from "#imports";
+function isTokenResponse(value) {
+  return typeof value === "object" && value !== null && ("accessToken" in value || "idToken" in value || "refreshToken" in value);
+}
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const sessionSecret = config.thunderid?.sessionSecret;
+  const afterSignInUrl = config.public.thunderid?.afterSignInUrl || "/";
+  const body = await readBody(event);
+  const { code, state, sessionState } = body ?? {};
+  if (!code) {
+    throw createError({ statusCode: 400, statusMessage: "Missing required parameter: code" });
+  }
+  const tempCookie = getCookie(event, getTempSessionCookieName());
+  if (!tempCookie) {
+    throw createError({ statusCode: 400, statusMessage: "No active auth session found. Please restart sign-in." });
+  }
+  let sessionId;
+  try {
+    const tempSession = await verifyTempSessionToken(
+      tempCookie,
+      sessionSecret
+    );
+    sessionId = tempSession.sessionId;
+  } catch {
+    throw createError({ statusCode: 400, statusMessage: "Auth session expired or invalid. Please restart sign-in." });
+  }
+  const client = ThunderIDNuxtClient.getInstance();
+  let tokenResponse;
+  try {
+    tokenResponse = await client.signIn({ code, session_state: sessionState, state }, {}, sessionId);
+  } catch (err) {
+    return { error: err?.message ?? String(err), success: false };
+  }
+  if (!isTokenResponse(tokenResponse)) {
+    return { error: "Invalid token response from Identity Provider.", success: false };
+  }
+  try {
+    await issueSessionCookie(event, sessionId, tokenResponse, sessionSecret);
+    deleteCookie(event, getTempSessionCookieName(), getTempSessionCookieOptions());
+  } catch (err) {
+    return { error: `Failed to establish session: ${err?.message ?? String(err)}`, success: false };
+  }
+  return { redirectUrl: afterSignInUrl, success: true };
+});

package/dist/runtime/server/routes/auth/session/session.get.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import type { ThunderIDAuthState } from '../../../../types.js';
+/**
+ * GET /api/auth/session
+ *
+ * Returns the current auth state: { isSignedIn, user, isLoading }.
+ * Used by the client-side composable to hydrate auth state.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<ThunderIDAuthState>>;
+export default _default;

package/dist/runtime/server/routes/auth/session/session.get.js

@@ -0,0 +1,22 @@
+import { defineEventHandler } from "h3";
+import ThunderIDNuxtClient from "../../../ThunderIDNuxtClient.js";
+import { verifyAndRehydrateSession } from "../../../utils/serverSession.js";
+import { useRuntimeConfig } from "#imports";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const sessionSecret = config.thunderid?.sessionSecret;
+  const session = await verifyAndRehydrateSession(
+    event,
+    sessionSecret
+  );
+  if (!session) {
+    return { isLoading: false, isSignedIn: false, user: null };
+  }
+  try {
+    const client = ThunderIDNuxtClient.getInstance();
+    const user = await client.getUser(session.sessionId);
+    return { isLoading: false, isSignedIn: true, user };
+  } catch {
+    return { isLoading: false, isSignedIn: false, user: null };
+  }
+});

package/dist/runtime/server/routes/auth/session/signin.get.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/**
+ * GET /api/auth/signin
+ *
+ * Initiates the OAuth2 authorization code flow with PKCE.
+ * Creates a temp session, stores it in a signed JWT cookie,
+ * and redirects the user to ThunderID's authorization endpoint.
+ *
+ * Accepts an optional `returnTo` query parameter to redirect
+ * the user to a specific page after sign-in.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<void>>;
+export default _default;

package/dist/runtime/server/routes/auth/session/signin.get.js

@@ -0,0 +1,37 @@
+import { generateSessionId } from "@thunderid/node";
+import { defineEventHandler, getQuery, sendRedirect, setCookie, createError } from "h3";
+import ThunderIDNuxtClient from "../../../ThunderIDNuxtClient.js";
+import { createTempSessionToken, getTempSessionCookieName, getTempSessionCookieOptions } from "../../../utils/session.js";
+import { useRuntimeConfig } from "#imports";
+export default defineEventHandler(async (event) => {
+  const client = ThunderIDNuxtClient.getInstance();
+  const config = useRuntimeConfig();
+  const sessionSecret = config.thunderid?.sessionSecret;
+  const query = getQuery(event);
+  const returnTo = query["returnTo"];
+  const safeReturnTo = returnTo && returnTo.startsWith("/") && !returnTo.startsWith("//") ? returnTo : void 0;
+  const sessionId = generateSessionId();
+  const tempToken = await createTempSessionToken(sessionId, sessionSecret, safeReturnTo);
+  setCookie(event, getTempSessionCookieName(), tempToken, getTempSessionCookieOptions());
+  let authorizationUrl = null;
+  await client.signIn(
+    (url) => {
+      authorizationUrl = url;
+    },
+    sessionId,
+    void 0,
+    // no authorization code (initial redirect)
+    void 0,
+    // no session_state
+    void 0,
+    // no state
+    {}
+  );
+  if (!authorizationUrl) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Failed to generate authorization URL."
+    });
+  }
+  return sendRedirect(event, authorizationUrl, 302);
+});

package/dist/runtime/server/routes/auth/session/signin.post.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/**
+ * POST /api/auth/signin
+ *
+ * Handles embedded (app-native) sign-in flow steps.
+ *
+ * Request body:
+ * - `payload` — the embedded flow step payload (`EmbeddedSignInFlowHandleRequestPayload`).
+ *   When omitted or `{}`, the flow is initialised and the authorize URL is returned.
+ * - `request` — optional per-step config (e.g. `{ url }` override).
+ *
+ * Response shape:
+ * ```json
+ * { "data": { ... }, "success": true }
+ * ```
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    data: unknown;
+    success: boolean;
+}>>;
+export default _default;

package/dist/runtime/server/routes/auth/session/signin.post.js

@@ -0,0 +1,102 @@
+import { EmbeddedSignInFlowStatus, generateSessionId, isEmpty } from "@thunderid/node";
+import { defineEventHandler, readBody, getCookie, setCookie, deleteCookie, createError } from "h3";
+import ThunderIDNuxtClient from "../../../ThunderIDNuxtClient.js";
+import { useServerSession } from "../../../utils/serverSession.js";
+import {
+  issueSessionCookie,
+  createTempSessionToken,
+  verifyTempSessionToken,
+  getTempSessionCookieName,
+  getTempSessionCookieOptions
+} from "../../../utils/session.js";
+import { useRuntimeConfig } from "#imports";
+function isTokenResponse(value) {
+  return typeof value === "object" && value !== null && ("accessToken" in value || "idToken" in value || "refreshToken" in value);
+}
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const sessionSecret = config.thunderid?.sessionSecret;
+  const afterSignInUrl = config.public.thunderid?.afterSignInUrl || "/";
+  const client = ThunderIDNuxtClient.getInstance();
+  let sessionId;
+  const liveSession = await useServerSession(event);
+  if (liveSession?.sessionId) {
+    sessionId = liveSession.sessionId;
+  } else {
+    const tempCookie = getCookie(event, getTempSessionCookieName());
+    if (tempCookie) {
+      try {
+        const tempSession = await verifyTempSessionToken(
+          tempCookie,
+          sessionSecret
+        );
+        sessionId = tempSession.sessionId;
+      } catch {
+        sessionId = generateSessionId();
+      }
+    } else {
+      sessionId = generateSessionId();
+    }
+    const tempToken = await createTempSessionToken(sessionId, sessionSecret);
+    setCookie(event, getTempSessionCookieName(), tempToken, getTempSessionCookieOptions());
+  }
+  const body = await readBody(event);
+  const payload = body?.payload ?? {};
+  const request = body?.request ?? {};
+  if (isEmpty(payload) || !("flowId" in payload)) {
+    try {
+      const signInUrl = await client.getAuthorizeRequestUrl(
+        { client_secret: "{{clientSecret}}", response_mode: "direct" },
+        sessionId
+      );
+      return { data: { signInUrl }, success: true };
+    } catch (err) {
+      throw createError({
+        statusCode: 500,
+        statusMessage: `Failed to build authorize URL: ${err?.message ?? String(err)}`
+      });
+    }
+  }
+  let response;
+  try {
+    response = await client.signIn(payload, request, sessionId);
+  } catch (err) {
+    throw createError({
+      statusCode: 502,
+      statusMessage: `Embedded sign-in step failed: ${err?.message ?? String(err)}`
+    });
+  }
+  if (response?.flowStatus === EmbeddedSignInFlowStatus.SuccessCompleted) {
+    const authData = response?.authData ?? {};
+    const { code, state, session_state: sessionState } = authData;
+    if (!code) {
+      throw createError({ statusCode: 502, statusMessage: "Authorization code missing from completed flow response." });
+    }
+    let tokenResponse;
+    try {
+      tokenResponse = await client.signIn({ code, session_state: sessionState, state }, {}, sessionId);
+    } catch (err) {
+      throw createError({
+        statusCode: 502,
+        statusMessage: `Token exchange failed after embedded flow: ${err?.message ?? String(err)}`
+      });
+    }
+    if (!isTokenResponse(tokenResponse)) {
+      throw createError({
+        statusCode: 502,
+        statusMessage: "Token exchange failed: Invalid token response from Identity Provider."
+      });
+    }
+    try {
+      await issueSessionCookie(event, sessionId, tokenResponse, sessionSecret);
+      deleteCookie(event, getTempSessionCookieName(), getTempSessionCookieOptions());
+    } catch (err) {
+      throw createError({
+        statusCode: 500,
+        statusMessage: `Failed to establish session: ${err?.message ?? String(err)}`
+      });
+    }
+    return { data: { afterSignInUrl }, success: true };
+  }
+  return { data: response, success: true };
+});

package/dist/runtime/server/routes/auth/session/signout.post.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/**
+ * POST /api/auth/signout
+ *
+ * Signs the user out by:
+ * 1. Getting the sign-out URL from ThunderID (for RP-Initiated Logout)
+ * 2. Clearing all session cookies
+ * 3. Returning `{ redirectUrl }` for the client to navigate to
+ *
+ * Using POST instead of GET prevents CSRF-based forced sign-outs.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    redirectUrl: string;
+}>>;
+export default _default;

package/dist/runtime/server/routes/auth/session/signout.post.js

@@ -0,0 +1,38 @@
+import { defineEventHandler, deleteCookie } from "h3";
+import ThunderIDNuxtClient from "../../../ThunderIDNuxtClient.js";
+import { verifyAndRehydrateSession } from "../../../utils/serverSession.js";
+import {
+  getSessionCookieName,
+  getSessionCookieOptions,
+  getTempSessionCookieName,
+  getTempSessionCookieOptions
+} from "../../../utils/session.js";
+import { useRuntimeConfig } from "#imports";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const sessionSecret = config.thunderid?.sessionSecret;
+  const publicConfig = config.public.thunderid;
+  const fallbackUrl = publicConfig.afterSignOutUrl || "/";
+  const clearCookies = () => {
+    deleteCookie(event, getSessionCookieName(), getSessionCookieOptions());
+    deleteCookie(event, getTempSessionCookieName(), getTempSessionCookieOptions());
+  };
+  const session = await verifyAndRehydrateSession(
+    event,
+    sessionSecret
+  );
+  if (!session) {
+    clearCookies();
+    return { redirectUrl: fallbackUrl };
+  }
+  try {
+    const client = ThunderIDNuxtClient.getInstance();
+    const signOutUrl = await client.signOut(session.sessionId);
+    clearCookies();
+    return { redirectUrl: signOutUrl || fallbackUrl };
+  } catch (err) {
+    console.error("[thunderid] Sign-out error:", err?.message || err);
+    clearCookies();
+    return { redirectUrl: fallbackUrl };
+  }
+});

package/dist/runtime/server/routes/auth/session/signup.post.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/**
+ * POST /api/auth/signup
+ *
+ * Handles embedded (app-native) sign-up flow steps.
+ *
+ * Request body:
+ * - `payload` — the embedded sign-up flow step payload (`EmbeddedFlowExecuteRequestPayload`).
+ *   When omitted, returns an empty `signUpUrl` (caller should redirect to the sign-up page).
+ *
+ * Response shape:
+ * ```json
+ * { "data": { ... }, "success": true }
+ * ```
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    data: unknown;
+    success: boolean;
+}>>;
+export default _default;

package/dist/runtime/server/routes/auth/session/signup.post.js

@@ -0,0 +1,30 @@
+import { EmbeddedFlowStatus } from "@thunderid/node";
+import { defineEventHandler, readBody, createError } from "h3";
+import ThunderIDNuxtClient from "../../../ThunderIDNuxtClient.js";
+import { useRuntimeConfig } from "#imports";
+function hasFlowStatus(value) {
+  return typeof value === "object" && value !== null && "flowStatus" in value;
+}
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const afterSignUpUrl = config.public.thunderid?.afterSignInUrl || "/";
+  const body = await readBody(event);
+  const payload = body?.payload;
+  if (!payload) {
+    return { data: { signUpUrl: "" }, success: true };
+  }
+  const client = ThunderIDNuxtClient.getInstance();
+  let response;
+  try {
+    response = await client.signUp(payload);
+  } catch (err) {
+    throw createError({
+      statusCode: 502,
+      statusMessage: `Embedded sign-up step failed: ${err?.message ?? String(err)}`
+    });
+  }
+  if (hasFlowStatus(response) && response.flowStatus === EmbeddedFlowStatus.Complete) {
+    return { data: { afterSignUpUrl }, success: true };
+  }
+  return { data: response, success: true };
+});

package/dist/runtime/server/routes/auth/session/token.get.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/**
+ * GET /api/auth/token
+ *
+ * Returns a valid access token for the current session.
+ * Proactively refreshes the token if it is within 60 seconds of expiry
+ * (requires a refresh token stored in the session JWT).
+ * Returns 401 if there is no active session or the token cannot be refreshed.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    accessToken: string;
+}>>;
+export default _default;

package/dist/runtime/server/routes/auth/session/token.get.js

@@ -0,0 +1,6 @@
+import { defineEventHandler } from "h3";
+import { getValidAccessToken } from "../../../utils/token-refresh.js";
+export default defineEventHandler(async (event) => {
+  const accessToken = await getValidAccessToken(event);
+  return { accessToken };
+});