@thunderid/nuxt 0.0.1

package/dist/runtime/types.d.ts

@@ -0,0 +1,161 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import type { BrandingPreference, I18nPreferences, Organization, Platform, TokenEndpointAuthMethod, User, UserProfile } from '@thunderid/node';
+import type { JWTPayload } from 'jose';
+/**
+ * Configuration for the ThunderID Nuxt module.
+ */
+export interface ThunderIDNuxtConfig {
+    /** URL to redirect to after sign-in (default: '/') */
+    afterSignInUrl?: string;
+    /** URL to redirect to after sign-out (default: '/') */
+    afterSignOutUrl?: string;
+    /**
+     * ThunderID application id (`spId`) — appended to the redirect-based sign-up
+     * URL when present. Mirrors `applicationId` in the React/Next.js SDKs.
+     */
+    applicationId?: string;
+    /** Base URL of the ThunderID org tenant (e.g. https://api.asgardeo.io/t/your_org) */
+    baseUrl?: string;
+    /** OAuth2 Client ID */
+    clientId?: string;
+    /** OAuth2 Client Secret (server-only, use ASGARDEO_CLIENT_SECRET env var) */
+    clientSecret?: string;
+    /**
+     * Identity platform variant. Set to `Platform.ThunderIDV2` when connecting to
+     * a Thunder (ThunderIDV2) instance. Forwarded to the underlying Node client so
+     * platform-specific behaviours (e.g. issuer resolution) apply correctly.
+     */
+    platform?: keyof typeof Platform;
+    /**
+     * Feature-gating preferences that control which server-side data fetches
+     * the Nitro plugin performs on every SSR request.
+     */
+    preferences?: {
+        /** i18n configuration forwarded to `I18nProvider`. */
+        i18n?: I18nPreferences;
+        theme?: {
+            /**
+             * When true (default), the Nitro plugin fetches the branding preference
+             * from ThunderID and passes it to `BrandingProvider` / `ThemeProvider`.
+             */
+            inheritFromBranding?: boolean;
+            /**
+             * Theme mode forwarded to the Vue SDK's `ThemeProvider`.
+             * - `'light'` (default) | `'dark'`: Fixed color scheme. Toggle at runtime with `useTheme().toggleTheme()`.
+             * - `'system'`: Follows the OS `prefers-color-scheme`.
+             * - `'class'`: Reads a CSS class on `<html>` (works well with Tailwind dark-mode).
+             * - `'branding'`: Follows the active theme from the tenant's branding preference.
+             */
+            mode?: 'light' | 'dark' | 'system' | 'class' | 'branding';
+        };
+        user?: {
+            /** Whether to fetch the user's organisations during SSR (default: true). */
+            fetchOrganizations?: boolean;
+            /** Whether to fetch the SCIM2 user profile during SSR (default: true). */
+            fetchUserProfile?: boolean;
+        };
+    };
+    /** OAuth2 scopes to request */
+    scopes?: string[];
+    /** Secret for signing session JWTs (use ASGARDEO_SESSION_SECRET env var) */
+    sessionSecret?: string;
+    /**
+     * Optional override for the redirect-based sign-in URL. Reserved for
+     * parity with the React/Next.js SDKs; not currently used by the redirect
+     * flow (which goes through `/api/auth/signin`).
+     */
+    signInUrl?: string;
+    /**
+     * Optional override for the redirect-based sign-up URL. When set,
+     * `<ThunderIDSignUpButton>` and `useThunderID().signUp()` (no-arg) navigate
+     * here instead of deriving the URL from `baseUrl`/`clientId`.
+     */
+    signUpUrl?: string;
+    /**
+     * Configuration for the token endpoint request.
+     */
+    tokenRequest?: {
+        /**
+         * OAuth 2.0 client authentication method used at the token endpoint.
+         * Defaults to `client_secret_basic` for ThunderIDV2 and `client_secret_post`
+         * for all other platforms when not specified.
+         */
+        authMethod?: TokenEndpointAuthMethod;
+    };
+}
+/**
+ * Payload stored in the session JWT cookie.
+ */
+export interface ThunderIDSessionPayload extends JWTPayload {
+    accessToken: string;
+    /** Unix timestamp (seconds) when the access token expires. Used for proactive refresh. */
+    accessTokenExpiresAt?: number;
+    exp: number;
+    iat: number;
+    /** Raw ID token string (for userinfo derivation without in-memory store). */
+    idToken?: string;
+    organizationId?: string;
+    /** Refresh token for obtaining new access tokens without re-authentication. */
+    refreshToken?: string;
+    scopes: string;
+    sessionId: string;
+    sub: string;
+}
+/**
+ * Payload stored in the temporary session JWT cookie (during OAuth flow).
+ */
+export interface ThunderIDTempSessionPayload extends JWTPayload {
+    /** URL to redirect to after successful sign-in */
+    returnTo?: string;
+    sessionId: string;
+    type: 'temp';
+}
+/**
+ * Full SSR payload resolved by the Nitro plugin on each page request.
+ * Written to `event.context.thunderid.ssr` and subsequently seeded into
+ * hydrated `useState` keys so the client never re-fetches on first render.
+ */
+export interface ThunderIDSSRData {
+    /** Branding preference fetched from ThunderID (null when `preferences.theme.inheritFromBranding` is false). */
+    brandingPreference: BrandingPreference | null;
+    /** The organisation the user is currently acting within (null when not in an org). */
+    currentOrganization: Organization | null;
+    isSignedIn: boolean;
+    /** All organisations the user is a member of (empty array when `preferences.user.fetchOrganizations` is false). */
+    myOrganizations: Organization[];
+    /**
+     * The base URL actually used for this request.
+     * Equals `${baseUrl}/o` when the user is acting within an organisation
+     * (derived from the `user_org` claim in the ID token), otherwise equals
+     * the configured `baseUrl`.
+     */
+    resolvedBaseUrl: string | null;
+    session: ThunderIDSessionPayload | null;
+    user: User | null;
+    /** Flattened SCIM2 profile + raw profile + schemas (null when `preferences.user.fetchUserProfile` is false). */
+    userProfile: UserProfile | null;
+}
+/**
+ * Auth state hydrated from server to client via useState.
+ */
+export interface ThunderIDAuthState {
+    isLoading: boolean;
+    isSignedIn: boolean;
+    user: User | null;
+}

package/dist/runtime/utils/createRouteMatcher.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/**
+ * Create a route matcher function from an array of glob-like patterns.
+ *
+ * Patterns support:
+ * - Literal paths: `/dashboard`
+ * - Wildcard segments: `/admin/*` matches `/admin/users` but not `/admin/users/1`
+ * - Deep wildcards: `/admin/**` matches `/admin/users` and `/admin/users/1`
+ * - Explicit regex groups: `/api/(users|posts)` stays as-is
+ *
+ * @example
+ * ```ts
+ * const isProtectedRoute = createRouteMatcher(['/dashboard/**', '/admin/**']);
+ * const isPublicRoute = createRouteMatcher(['/', '/about', '/sign-in']);
+ *
+ * // In a global middleware:
+ * export default defineNuxtRouteMiddleware((to) => {
+ *   if (isProtectedRoute(to.path) && !authState.value?.isSignedIn) {
+ *     return navigateTo('/api/auth/signin', { external: true });
+ *   }
+ * });
+ * ```
+ */
+export declare function createRouteMatcher(patterns: string[]): (path: string) => boolean;

package/dist/runtime/utils/createRouteMatcher.js

@@ -0,0 +1,7 @@
+export function createRouteMatcher(patterns) {
+  const regexes = patterns.map((pattern) => {
+    const regexStr = pattern.replace(/[.+^${}|[\]\\]/g, "\\$&").replace(/\*\*/g, "___DOUBLE_STAR___").replace(/\*/g, "[^/]*").replace(/___DOUBLE_STAR___/g, ".*");
+    return new RegExp(`^${regexStr}$`);
+  });
+  return (path) => regexes.some((regex) => regex.test(path));
+}

package/dist/runtime/utils/index.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/**
+ * @thunderid/nuxt/utils
+ *
+ * Public utilities barrel. Import from this subpath to access
+ * utilities such as createRouteMatcher without polluting the
+ * global auto-import namespace.
+ *
+ * @example
+ * ```ts
+ * import { createRouteMatcher } from '@thunderid/nuxt/utils';
+ * ```
+ */
+export { createRouteMatcher } from './createRouteMatcher.js';

package/dist/runtime/utils/index.js

@@ -0,0 +1 @@
+export { createRouteMatcher } from "./createRouteMatcher.js";

package/dist/runtime/utils/log.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/**
+ * Mask a token so it is safe to include in logs and error messages.
+ * Shows the first 4 and last 4 characters, replacing the middle with "…".
+ *
+ * @example
+ * maskToken('eyJhbGciOiJIUzI1NiJ9.abc.xyz') // 'eyJh….xyz'
+ */
+export declare function maskToken(token: string): string;
+/**
+ * Create a namespaced logger for a specific SDK subsystem.
+ *
+ * Debug output is suppressed unless the `ASGARDEO_DEBUG` environment
+ * variable is set (any truthy value).
+ *
+ * @example
+ * ```ts
+ * const log = createLogger('session');
+ * log.info('Session created for', maskToken(accessToken));
+ * log.debug('Full payload', payload); // only logged when ASGARDEO_DEBUG=true
+ * ```
+ */
+export declare function createLogger(subsystem: string): {
+    debug: (...args: unknown[]) => void;
+    error: (...args: unknown[]) => void;
+    info: (...args: unknown[]) => void;
+    warn: (...args: unknown[]) => void;
+};

package/dist/runtime/utils/log.js

@@ -0,0 +1,25 @@
+const PREFIX = "@thunderid/nuxt";
+export function maskToken(token) {
+  if (!token) return "(empty)";
+  if (token.length <= 8) return "***";
+  return `${token.slice(0, 4)}\u2026${token.slice(-4)}`;
+}
+export function createLogger(subsystem) {
+  const tag = `[${PREFIX}:${subsystem}]`;
+  return {
+    debug: (...args) => {
+      if (process.env["ASGARDEO_DEBUG"]) {
+        console.log(tag, ...args);
+      }
+    },
+    error: (...args) => {
+      console.error(tag, ...args);
+    },
+    info: (...args) => {
+      console.log(tag, ...args);
+    },
+    warn: (...args) => {
+      console.warn(tag, ...args);
+    }
+  };
+}

package/dist/runtime/utils/url-validation.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/**
+ * Validate a `returnTo` / redirect URL supplied by the client.
+ *
+ * Rules (defence-in-depth against open-redirect attacks):
+ * 1. Must be a non-empty string.
+ * 2. Must start with `/` (relative path only — no protocol, no host).
+ * 3. Must NOT start with `//` (protocol-relative URL — resolves as absolute).
+ * 4. Must NOT contain a `\` after the leading `/` (browser normalises `\` to `/`).
+ * 5. Must NOT contain a `%2F` or `%5C` in the first two chars after `/`
+ *    (encoded slashes/backslashes that bypass rule 3/4 after URL decoding).
+ *
+ * Returns the validated URL as-is on success, or throws `ThunderIDError`
+ * with `ErrorCode.OpenRedirectBlocked` on failure.
+ *
+ * @example
+ * ```ts
+ * const safe = validateReturnUrl('/dashboard');          // '/dashboard'
+ * validateReturnUrl('//evil.com');                        // throws
+ * validateReturnUrl('https://evil.com');                  // throws
+ * validateReturnUrl('/\\evil.com');                       // throws
+ * ```
+ */
+export declare function validateReturnUrl(url: unknown): string;
+/**
+ * Safe variant of `validateReturnUrl` that returns a fallback instead of throwing.
+ *
+ * @example
+ * ```ts
+ * const url = safeReturnUrl(query.returnTo, '/dashboard');
+ * ```
+ */
+export declare function safeReturnUrl(url: unknown, fallback?: string): string;

package/dist/runtime/utils/url-validation.js

@@ -0,0 +1,38 @@
+import { ThunderIDError } from "../errors/thunderid-error.js";
+import { ErrorCode } from "../errors/error-codes.js";
+export function validateReturnUrl(url) {
+  if (typeof url !== "string" || url.trim() === "") {
+    throw new ThunderIDError("returnTo must be a non-empty string.", ErrorCode.OpenRedirectBlocked, { statusCode: 400 });
+  }
+  const trimmed = url.trim();
+  if (!trimmed.startsWith("/") || trimmed.startsWith("//")) {
+    throw new ThunderIDError(
+      `Open redirect blocked: returnTo "${trimmed}" must be a relative path starting with a single "/".`,
+      ErrorCode.OpenRedirectBlocked,
+      { statusCode: 400 }
+    );
+  }
+  if (trimmed.length > 1 && trimmed[1] === "\\") {
+    throw new ThunderIDError(
+      `Open redirect blocked: returnTo "${trimmed}" contains a backslash.`,
+      ErrorCode.OpenRedirectBlocked,
+      { statusCode: 400 }
+    );
+  }
+  const decoded = decodeURIComponent(trimmed.slice(1, 5).toLowerCase());
+  if (decoded.startsWith("/") || decoded.startsWith("\\")) {
+    throw new ThunderIDError(
+      `Open redirect blocked: returnTo "${trimmed}" contains an encoded redirect sequence.`,
+      ErrorCode.OpenRedirectBlocked,
+      { statusCode: 400 }
+    );
+  }
+  return trimmed;
+}
+export function safeReturnUrl(url, fallback = "/") {
+  try {
+    return validateReturnUrl(url);
+  } catch {
+    return fallback;
+  }
+}

package/dist/types.d.mts

@@ -0,0 +1,7 @@
+import type { NuxtModule } from '@nuxt/schema'
+
+import type { default as Module } from './module.mjs'
+
+export type ModuleOptions = typeof Module extends NuxtModule<infer O> ? Partial<O> : Record<string, any>
+
+export { default } from './module.mjs'

package/package.json

@@ -0,0 +1,101 @@
+{
+  "name": "@thunderid/nuxt",
+  "version": "0.0.1",
+  "description": "Nuxt SDK for ThunderID",
+  "keywords": [
+    "thunderid",
+    "nuxt",
+    "nuxtjs",
+    "ssr"
+  ],
+  "homepage": "https://github.com/thunder-id/thunderid/tree/main/sdks/nuxt#readme",
+  "bugs": {
+    "url": "https://github.com/thunder-id/thunderid/issues"
+  },
+  "author": "WSO2",
+  "license": "Apache-2.0",
+  "type": "module",
+  "main": "./dist/module.mjs",
+  "exports": {
+    ".": {
+      "types": "./dist/types.d.mts",
+      "import": "./dist/module.mjs"
+    },
+    "./server": {
+      "types": "./dist/runtime/server/index.d.ts",
+      "import": "./dist/runtime/server/index.js"
+    },
+    "./errors": {
+      "types": "./dist/runtime/errors/index.d.ts",
+      "import": "./dist/runtime/errors/index.js"
+    },
+    "./utils": {
+      "types": "./dist/runtime/utils/index.d.ts",
+      "import": "./dist/runtime/utils/index.js"
+    }
+  },
+  "typesVersions": {
+    "*": {
+      ".": [
+        "./dist/types.d.mts"
+      ],
+      "server": [
+        "./dist/runtime/server/index.d.ts"
+      ],
+      "errors": [
+        "./dist/runtime/errors/index.d.ts"
+      ],
+      "utils": [
+        "./dist/runtime/utils/index.d.ts"
+      ]
+    }
+  },
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/thunder-id/thunderid",
+    "directory": "packages/nuxt"
+  },
+  "dependencies": {
+    "@nuxt/kit": "3.16.2",
+    "defu": "6.1.5",
+    "jose": "5.2.0",
+    "@thunderid/browser": "^0.0.1",
+    "@thunderid/node": "^0.0.1",
+    "@thunderid/vue": "^0.0.1"
+  },
+  "devDependencies": {
+    "@nuxt/devtools": "2.4.0",
+    "@nuxt/module-builder": "1.0.1",
+    "@nuxt/schema": "3.16.2",
+    "@nuxt/test-utils": "3.17.2",
+    "@types/node": "24.7.2",
+    "eslint": "9.39.4",
+    "h3": "1.15.11",
+    "nuxt": "3.16.2",
+    "typescript": "5.9.3",
+    "vitest": "4.1.3",
+    "@thunderid/eslint-plugin": "^0.0.0",
+    "@thunderid/prettier-config": "^0.0.0"
+  },
+  "peerDependencies": {
+    "nuxt": ">=3.10.0",
+    "vue": ">=3.5.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "nuxt module-build prepare && nuxt module-build build",
+    "format:check": "prettier --check --cache .",
+    "format:fix": "prettier --write --cache .",
+    "lint": "nuxt prepare && eslint .",
+    "lint:fix": "nuxt prepare && eslint . --fix",
+    "test": "vitest run --passWithNoTests",
+    "typecheck": "nuxt module-build prepare && vue-tsc --noEmit"
+  }
+}