@vertz/ui 0.2.12 → 0.2.13

package/dist/src/auth/public.js

@@ -0,0 +1,773 @@
+import {
+  _tryOnCleanup,
+  computed,
+  createContext,
+  signal,
+  useContext
+} from "../../shared/chunk-8hsz5y4a.js";
+
+// src/auth/access-context.ts
+var AccessContext = createContext(undefined, "@vertz/ui::AccessContext");
+function useAccessContext() {
+  const ctx = useContext(AccessContext);
+  if (!ctx) {
+    throw new Error("useAccessContext must be called within AccessContext.Provider");
+  }
+  return ctx;
+}
+function createFallbackDenied() {
+  return {
+    allowed: computed(() => false),
+    reasons: computed(() => ["not_authenticated"]),
+    reason: computed(() => "not_authenticated"),
+    meta: computed(() => {
+      return;
+    }),
+    loading: computed(() => false)
+  };
+}
+var __DEV__ = typeof process !== "undefined" && true;
+function can(entitlement, entity) {
+  const ctx = useContext(AccessContext);
+  if (!ctx) {
+    if (__DEV__) {
+      console.warn("can() called without AccessContext.Provider — all checks denied");
+    }
+    return createFallbackDenied();
+  }
+  const accessData = computed(() => {
+    if (entity?.__access?.[entitlement])
+      return entity.__access[entitlement];
+    const set = ctx.accessSet;
+    return set?.entitlements[entitlement] ?? null;
+  });
+  return {
+    allowed: computed(() => accessData.value?.allowed ?? false),
+    reasons: computed(() => accessData.value?.reasons ?? []),
+    reason: computed(() => accessData.value?.reason),
+    meta: computed(() => accessData.value?.meta),
+    loading: computed(() => {
+      const set = ctx.accessSet;
+      if (!set)
+        return ctx.loading;
+      return false;
+    })
+  };
+}
+// src/auth/access-event-client.ts
+var BASE_BACKOFF_MS = 1000;
+var MAX_BACKOFF_MS = 30000;
+var JITTER_FACTOR = 0.25;
+function createAccessEventClient(options) {
+  const { onEvent, onReconnect } = options;
+  let ws = null;
+  let reconnectTimer;
+  let backoffMs = BASE_BACKOFF_MS;
+  let hasConnectedBefore = false;
+  let intentionalDisconnect = false;
+  let disposed = false;
+  function getUrl() {
+    if (options.url)
+      return options.url;
+    if (typeof window !== "undefined") {
+      const protocol = window.location.protocol === "https:" ? "wss:" : "ws:";
+      return `${protocol}//${window.location.host}/api/auth/access-events`;
+    }
+    return "ws://localhost/api/auth/access-events";
+  }
+  function applyJitter(delay) {
+    const jitter = delay * JITTER_FACTOR;
+    return delay - jitter + Math.random() * jitter * 2;
+  }
+  function scheduleReconnect() {
+    if (intentionalDisconnect || disposed)
+      return;
+    const delay = applyJitter(backoffMs);
+    reconnectTimer = setTimeout(() => {
+      reconnectTimer = undefined;
+      doConnect();
+    }, delay);
+    backoffMs = Math.min(backoffMs * 2, MAX_BACKOFF_MS);
+  }
+  function clearReconnectTimer() {
+    if (reconnectTimer !== undefined) {
+      clearTimeout(reconnectTimer);
+      reconnectTimer = undefined;
+    }
+  }
+  function doConnect() {
+    if (disposed)
+      return;
+    ws = new WebSocket(getUrl());
+    ws.onopen = () => {
+      backoffMs = BASE_BACKOFF_MS;
+      if (hasConnectedBefore) {
+        onReconnect();
+      }
+      hasConnectedBefore = true;
+    };
+    ws.onmessage = (event) => {
+      try {
+        const data = JSON.parse(event.data);
+        onEvent(data);
+      } catch {}
+    };
+    ws.onclose = () => {
+      ws = null;
+      if (!intentionalDisconnect && !disposed) {
+        scheduleReconnect();
+      }
+    };
+    ws.onerror = () => {};
+  }
+  function connect() {
+    intentionalDisconnect = false;
+    doConnect();
+  }
+  function disconnect() {
+    intentionalDisconnect = true;
+    clearReconnectTimer();
+    if (ws) {
+      ws.onclose = null;
+      ws.close();
+      ws = null;
+    }
+  }
+  function dispose() {
+    disposed = true;
+    disconnect();
+  }
+  return { connect, disconnect, dispose };
+}
+// src/auth/access-gate.ts
+function AccessGate({
+  fallback,
+  children
+}) {
+  const ctx = useContext(AccessContext);
+  if (!ctx) {
+    return typeof children === "function" ? children() : children;
+  }
+  const isLoaded = computed(() => {
+    const set = ctx.accessSet;
+    return set !== null;
+  });
+  return computed(() => {
+    if (isLoaded.value) {
+      return typeof children === "function" ? children() : children;
+    }
+    return fallback ? fallback() : null;
+  });
+}
+// src/auth/access-event-handler.ts
+function handleAccessEvent(accessSet, event, flagEntitlementMap) {
+  const current = accessSet.value;
+  if (!current)
+    return;
+  switch (event.type) {
+    case "access:flag_toggled":
+      handleFlagToggle(accessSet, current, event.flag, event.enabled, flagEntitlementMap);
+      break;
+    case "access:limit_updated":
+      handleLimitUpdate(accessSet, current, event.entitlement, event.consumed, event.remaining, event.max);
+      break;
+    case "access:role_changed":
+    case "access:plan_changed":
+      break;
+  }
+}
+function handleFlagToggle(accessSet, current, flag, enabled, flagEntitlementMap) {
+  const newFlags = { ...current.flags, [flag]: enabled };
+  const newEntitlements = { ...current.entitlements };
+  if (flagEntitlementMap) {
+    for (const [name, requiredFlags] of Object.entries(flagEntitlementMap)) {
+      if (!requiredFlags.includes(flag))
+        continue;
+      if (!enabled) {
+        newEntitlements[name] = {
+          allowed: false,
+          reasons: ["flag_disabled"],
+          reason: "flag_disabled",
+          meta: { disabledFlags: [flag] }
+        };
+      } else {
+        const existing = newEntitlements[name];
+        if (existing?.reason === "flag_disabled") {
+          newEntitlements[name] = { allowed: true, reasons: [] };
+        }
+      }
+    }
+  }
+  accessSet.value = { ...current, flags: newFlags, entitlements: newEntitlements };
+}
+function handleLimitUpdate(accessSet, current, entitlement, consumed, remaining, max) {
+  const existingEntry = current.entitlements[entitlement];
+  if (!existingEntry)
+    return;
+  const newLimit = { max, consumed, remaining };
+  const newEntitlements = { ...current.entitlements };
+  if (remaining <= 0) {
+    const reasons = [...existingEntry.reasons];
+    if (!reasons.includes("limit_reached"))
+      reasons.push("limit_reached");
+    const entry = {
+      ...existingEntry,
+      allowed: false,
+      reasons,
+      reason: reasons[0],
+      meta: { ...existingEntry.meta, limit: newLimit }
+    };
+    newEntitlements[entitlement] = entry;
+  } else {
+    newEntitlements[entitlement] = {
+      ...existingEntry,
+      meta: { ...existingEntry.meta, limit: newLimit }
+    };
+  }
+  accessSet.value = { ...current, entitlements: newEntitlements };
+}
+
+// src/auth/auth-client.ts
+import { err, ok } from "@vertz/fetch";
+async function parseAuthError(res) {
+  let code = "SERVER_ERROR";
+  let message = "An unexpected error occurred";
+  let retryAfter;
+  try {
+    const body = await res.json();
+    if (body.code)
+      code = body.code;
+    if (body.message)
+      message = body.message;
+  } catch {}
+  if (res.status === 401) {
+    code = code === "SERVER_ERROR" ? "INVALID_CREDENTIALS" : code;
+    message = message === "An unexpected error occurred" ? "Invalid email or password" : message;
+  } else if (res.status === 409) {
+    code = code === "SERVER_ERROR" ? "USER_EXISTS" : code;
+    message = message === "An unexpected error occurred" ? "An account with this email already exists" : message;
+  } else if (res.status === 429) {
+    code = "RATE_LIMITED";
+    const retryHeader = res.headers.get("Retry-After");
+    if (retryHeader)
+      retryAfter = Number.parseInt(retryHeader, 10);
+  }
+  return { code, message, statusCode: res.status, retryAfter };
+}
+function createAuthMethod({
+  basePath,
+  endpoint,
+  httpMethod,
+  schema,
+  onSuccess
+}) {
+  const url = `${basePath}/${endpoint}`;
+  const fn = async (body) => {
+    let res;
+    try {
+      res = await fetch(url, {
+        method: httpMethod,
+        headers: {
+          "Content-Type": "application/json",
+          "X-VTZ-Request": "1"
+        },
+        credentials: "include",
+        body: JSON.stringify(body)
+      });
+    } catch (e) {
+      const networkError = {
+        code: "NETWORK_ERROR",
+        message: e instanceof Error ? e.message : "Network error",
+        statusCode: 0
+      };
+      return err(Object.assign(new Error(networkError.message), networkError));
+    }
+    if (!res.ok) {
+      const authError = await parseAuthError(res);
+      return err(Object.assign(new Error(authError.message), authError));
+    }
+    const data = await res.json();
+    onSuccess(data);
+    return ok(data);
+  };
+  return Object.assign(fn, {
+    url,
+    method: httpMethod,
+    meta: { bodySchema: schema }
+  });
+}
+
+// src/auth/auth-types.ts
+var signInSchema = {
+  parse(data) {
+    const d = data;
+    const errors = [];
+    if (!d.email || typeof d.email !== "string" || !d.email.includes("@")) {
+      errors.push({ path: ["email"], message: "Valid email is required" });
+    }
+    if (!d.password || typeof d.password !== "string") {
+      errors.push({ path: ["password"], message: "Password is required" });
+    }
+    if (errors.length > 0) {
+      const err2 = new Error("Validation failed");
+      err2.issues = errors;
+      return { ok: false, error: err2 };
+    }
+    return { ok: true, data: { email: d.email, password: d.password } };
+  }
+};
+var signUpSchema = {
+  parse(data) {
+    const d = data;
+    const errors = [];
+    if (!d.email || typeof d.email !== "string" || !d.email.includes("@")) {
+      errors.push({ path: ["email"], message: "Valid email is required" });
+    }
+    if (!d.password || typeof d.password !== "string" || d.password.length < 8) {
+      errors.push({ path: ["password"], message: "Password must be at least 8 characters" });
+    }
+    if (errors.length > 0) {
+      const err2 = new Error("Validation failed");
+      err2.issues = errors;
+      return { ok: false, error: err2 };
+    }
+    const { email, password, ...rest } = d;
+    return {
+      ok: true,
+      data: { email, password, ...rest }
+    };
+  }
+};
+var mfaSchema = {
+  parse(data) {
+    const d = data;
+    if (!d.code || typeof d.code !== "string" || d.code.length !== 6) {
+      const err2 = new Error("Validation failed");
+      err2.issues = [
+        { path: ["code"], message: "Enter a 6-digit code" }
+      ];
+      return { ok: false, error: err2 };
+    }
+    return { ok: true, data: { code: d.code } };
+  }
+};
+var forgotPasswordSchema = {
+  parse(data) {
+    const d = data;
+    if (!d.email || typeof d.email !== "string" || !d.email.includes("@")) {
+      const err2 = new Error("Validation failed");
+      err2.issues = [
+        { path: ["email"], message: "Valid email is required" }
+      ];
+      return { ok: false, error: err2 };
+    }
+    return { ok: true, data: { email: d.email } };
+  }
+};
+var resetPasswordSchema = {
+  parse(data) {
+    const d = data;
+    const errors = [];
+    if (!d.token || typeof d.token !== "string") {
+      errors.push({ path: ["token"], message: "Token is required" });
+    }
+    if (!d.password || typeof d.password !== "string" || d.password.length < 8) {
+      errors.push({ path: ["password"], message: "Password must be at least 8 characters" });
+    }
+    if (errors.length > 0) {
+      const err2 = new Error("Validation failed");
+      err2.issues = errors;
+      return { ok: false, error: err2 };
+    }
+    return {
+      ok: true,
+      data: { token: d.token, password: d.password }
+    };
+  }
+};
+
+// src/auth/token-refresh.ts
+var REFRESH_MARGIN_MS = 1e4;
+function createTokenRefresh({ onRefresh }) {
+  let timerId;
+  let inflightPromise = null;
+  let lastExpiresAt = null;
+  let pendingOfflineRefresh = false;
+  function schedule(expiresAt) {
+    lastExpiresAt = expiresAt;
+    pendingOfflineRefresh = false;
+    clearTimer();
+    const delay = Math.max(0, expiresAt - Date.now() - REFRESH_MARGIN_MS);
+    timerId = setTimeout(() => {
+      executeRefresh();
+    }, delay);
+  }
+  function executeRefresh() {
+    if (inflightPromise)
+      return;
+    if (typeof navigator !== "undefined" && navigator.onLine === false) {
+      pendingOfflineRefresh = true;
+      return;
+    }
+    inflightPromise = onRefresh().finally(() => {
+      inflightPromise = null;
+    });
+    inflightPromise.catch(() => {});
+  }
+  function clearTimer() {
+    if (timerId !== undefined) {
+      clearTimeout(timerId);
+      timerId = undefined;
+    }
+  }
+  function cancel() {
+    clearTimer();
+    lastExpiresAt = null;
+    pendingOfflineRefresh = false;
+  }
+  let visibilityHandler;
+  if (typeof document !== "undefined") {
+    visibilityHandler = () => {
+      if (document.visibilityState === "hidden") {
+        clearTimer();
+      } else if (lastExpiresAt !== null) {
+        schedule(lastExpiresAt);
+      }
+    };
+    document.addEventListener("visibilitychange", visibilityHandler);
+  }
+  let onlineHandler;
+  if (typeof window !== "undefined") {
+    onlineHandler = () => {
+      if (pendingOfflineRefresh) {
+        pendingOfflineRefresh = false;
+        executeRefresh();
+      }
+    };
+    window.addEventListener("online", onlineHandler);
+  }
+  function dispose() {
+    cancel();
+    if (visibilityHandler && typeof document !== "undefined") {
+      document.removeEventListener("visibilitychange", visibilityHandler);
+    }
+    if (onlineHandler && typeof window !== "undefined") {
+      window.removeEventListener("online", onlineHandler);
+    }
+  }
+  return { schedule, cancel, dispose };
+}
+
+// src/auth/auth-context.ts
+var AuthContext = createContext(undefined, "@vertz/ui::AuthContext");
+function useAuth() {
+  const ctx = useContext(AuthContext);
+  if (!ctx)
+    throw new Error("useAuth must be called within AuthProvider");
+  return ctx;
+}
+function AuthProvider({
+  basePath = "/api/auth",
+  accessControl,
+  accessEvents,
+  accessEventsUrl,
+  flagEntitlementMap,
+  children
+}) {
+  const userSignal = signal(null);
+  const statusSignal = signal("idle");
+  const errorSignal = signal(null);
+  const isAuthenticated = computed(() => statusSignal.value === "authenticated");
+  const isLoading = computed(() => statusSignal.value === "loading");
+  const accessSetSignal = accessControl ? signal(null) : null;
+  const accessLoadingSignal = accessControl ? signal(true) : null;
+  const tokenRefresh = createTokenRefresh({
+    onRefresh: async () => {
+      await refresh();
+    }
+  });
+  async function fetchAccessSet() {
+    if (!accessSetSignal || !accessLoadingSignal)
+      return;
+    try {
+      const res = await fetch(`${basePath}/access-set`, {
+        headers: { "X-VTZ-Request": "1" },
+        credentials: "include"
+      });
+      if (res.ok) {
+        accessSetSignal.value = await res.json();
+        accessLoadingSignal.value = false;
+      }
+    } catch {}
+  }
+  function clearAccessSet() {
+    if (!accessSetSignal || !accessLoadingSignal)
+      return;
+    accessSetSignal.value = null;
+    accessLoadingSignal.value = true;
+  }
+  function handleAuthSuccess(data) {
+    userSignal.value = data.user;
+    statusSignal.value = "authenticated";
+    errorSignal.value = null;
+    if (data.expiresAt) {
+      tokenRefresh.schedule(data.expiresAt);
+    }
+    fetchAccessSet();
+  }
+  function handleAuthError(error) {
+    if (error.code === "MFA_REQUIRED") {
+      statusSignal.value = "mfa_required";
+      errorSignal.value = null;
+    } else {
+      statusSignal.value = "error";
+      errorSignal.value = {
+        code: error.code ?? "SERVER_ERROR",
+        message: error.message,
+        statusCode: error.statusCode ?? 0,
+        retryAfter: error.retryAfter
+      };
+    }
+  }
+  const signInMethod = createAuthMethod({
+    basePath,
+    endpoint: "signin",
+    httpMethod: "POST",
+    schema: signInSchema,
+    onSuccess: handleAuthSuccess
+  });
+  const signIn = Object.assign(async (body) => {
+    statusSignal.value = "loading";
+    errorSignal.value = null;
+    const result = await signInMethod(body);
+    if (!result.ok) {
+      handleAuthError(result.error);
+    }
+    return result;
+  }, {
+    url: signInMethod.url,
+    method: signInMethod.method,
+    meta: signInMethod.meta
+  });
+  const signUpMethod = createAuthMethod({
+    basePath,
+    endpoint: "signup",
+    httpMethod: "POST",
+    schema: signUpSchema,
+    onSuccess: handleAuthSuccess
+  });
+  const signUp = Object.assign(async (body) => {
+    statusSignal.value = "loading";
+    errorSignal.value = null;
+    const result = await signUpMethod(body);
+    if (!result.ok) {
+      handleAuthError(result.error);
+    }
+    return result;
+  }, {
+    url: signUpMethod.url,
+    method: signUpMethod.method,
+    meta: signUpMethod.meta
+  });
+  const mfaChallengeMethod = createAuthMethod({
+    basePath,
+    endpoint: "mfa/challenge",
+    httpMethod: "POST",
+    schema: mfaSchema,
+    onSuccess: handleAuthSuccess
+  });
+  const mfaChallenge = Object.assign(async (body) => {
+    statusSignal.value = "loading";
+    errorSignal.value = null;
+    const result = await mfaChallengeMethod(body);
+    if (!result.ok) {
+      handleAuthError(result.error);
+    }
+    return result;
+  }, {
+    url: mfaChallengeMethod.url,
+    method: mfaChallengeMethod.method,
+    meta: mfaChallengeMethod.meta
+  });
+  const forgotPasswordMethod = createAuthMethod({
+    basePath,
+    endpoint: "forgot-password",
+    httpMethod: "POST",
+    schema: forgotPasswordSchema,
+    onSuccess: () => {}
+  });
+  const forgotPassword = Object.assign(async (body) => {
+    return forgotPasswordMethod(body);
+  }, {
+    url: forgotPasswordMethod.url,
+    method: forgotPasswordMethod.method,
+    meta: forgotPasswordMethod.meta
+  });
+  const resetPasswordMethod = createAuthMethod({
+    basePath,
+    endpoint: "reset-password",
+    httpMethod: "POST",
+    schema: resetPasswordSchema,
+    onSuccess: () => {}
+  });
+  const resetPassword = Object.assign(async (body) => {
+    return resetPasswordMethod(body);
+  }, {
+    url: resetPasswordMethod.url,
+    method: resetPasswordMethod.method,
+    meta: resetPasswordMethod.meta
+  });
+  const signOut = async () => {
+    tokenRefresh.cancel();
+    try {
+      await fetch(`${basePath}/signout`, {
+        method: "POST",
+        headers: { "X-VTZ-Request": "1" },
+        credentials: "include"
+      });
+    } catch {}
+    userSignal.value = null;
+    statusSignal.value = "unauthenticated";
+    errorSignal.value = null;
+    clearAccessSet();
+    if (typeof window !== "undefined") {
+      delete window.__VERTZ_SESSION__;
+    }
+  };
+  let refreshInFlight = null;
+  const doRefresh = async () => {
+    statusSignal.value = "loading";
+    try {
+      const res = await fetch(`${basePath}/refresh`, {
+        method: "POST",
+        headers: { "X-VTZ-Request": "1" },
+        credentials: "include"
+      });
+      if (res.ok) {
+        const data = await res.json();
+        handleAuthSuccess(data);
+      } else {
+        userSignal.value = null;
+        statusSignal.value = "unauthenticated";
+        errorSignal.value = null;
+      }
+    } catch {
+      userSignal.value = null;
+      statusSignal.value = "unauthenticated";
+      errorSignal.value = null;
+    }
+  };
+  const refresh = async () => {
+    if (refreshInFlight)
+      return refreshInFlight;
+    refreshInFlight = doRefresh().finally(() => {
+      refreshInFlight = null;
+    });
+    return refreshInFlight;
+  };
+  const eventClient = accessControl && accessEvents && accessSetSignal ? createAccessEventClient({
+    url: accessEventsUrl,
+    onEvent: (event) => {
+      if (!accessSetSignal)
+        return;
+      if (event.type === "access:flag_toggled" || event.type === "access:limit_updated") {
+        handleAccessEvent(accessSetSignal, event, flagEntitlementMap);
+      } else {
+        const jitter = Math.random() * 1000;
+        setTimeout(() => {
+          fetchAccessSet();
+        }, jitter);
+      }
+    },
+    onReconnect: () => {
+      fetchAccessSet();
+    }
+  }) : null;
+  if (eventClient) {
+    eventClient.connect();
+  }
+  _tryOnCleanup(() => {
+    tokenRefresh.dispose();
+    eventClient?.dispose();
+  });
+  const contextValue = {
+    user: userSignal,
+    status: statusSignal,
+    isAuthenticated,
+    isLoading,
+    error: errorSignal,
+    signIn,
+    signUp,
+    signOut,
+    refresh,
+    mfaChallenge,
+    forgotPassword,
+    resetPassword
+  };
+  if (typeof window !== "undefined") {
+    if (window.__VERTZ_SESSION__?.user) {
+      const session = window.__VERTZ_SESSION__;
+      userSignal.value = session.user;
+      statusSignal.value = "authenticated";
+      if (session.expiresAt) {
+        tokenRefresh.schedule(session.expiresAt);
+      }
+    } else {
+      statusSignal.value = "unauthenticated";
+    }
+  }
+  if (accessControl && accessSetSignal && accessLoadingSignal) {
+    if (typeof window !== "undefined" && window.__VERTZ_ACCESS_SET__ && typeof window.__VERTZ_ACCESS_SET__.entitlements === "object" && window.__VERTZ_ACCESS_SET__.entitlements !== null) {
+      accessSetSignal.value = window.__VERTZ_ACCESS_SET__;
+      accessLoadingSignal.value = false;
+    }
+    const accessValue = { accessSet: accessSetSignal, loading: accessLoadingSignal };
+    return AuthContext.Provider({
+      value: contextValue,
+      children: () => AccessContext.Provider({
+        value: accessValue,
+        children
+      })
+    });
+  }
+  return AuthContext.Provider({ value: contextValue, children });
+}
+// src/auth/auth-gate.ts
+function AuthGate({ fallback, children }) {
+  const ctx = useContext(AuthContext);
+  if (!ctx) {
+    return typeof children === "function" ? children() : children;
+  }
+  const isResolved = computed(() => {
+    const status = ctx.status;
+    return status !== "idle" && status !== "loading";
+  });
+  return computed(() => {
+    if (isResolved.value) {
+      return typeof children === "function" ? children() : children;
+    }
+    return fallback ? fallback() : null;
+  });
+}
+// src/auth/create-access-provider.ts
+function createAccessProvider() {
+  const accessSet = signal(null);
+  const loading = signal(true);
+  if (typeof window !== "undefined" && window.__VERTZ_ACCESS_SET__ && typeof window.__VERTZ_ACCESS_SET__.entitlements === "object" && window.__VERTZ_ACCESS_SET__.entitlements !== null) {
+    accessSet.value = window.__VERTZ_ACCESS_SET__;
+    loading.value = false;
+  }
+  return { accessSet, loading };
+}
+export {
+  useAuth,
+  useAccessContext,
+  createAccessProvider,
+  createAccessEventClient,
+  can,
+  AuthProvider,
+  AuthGate,
+  AuthContext,
+  AccessGate,
+  AccessContext
+};