@yboard/auth-mobile 0.0.1

package/src/client/create-client.ts

@@ -0,0 +1,311 @@
+import * as AuthSession from "expo-auth-session";
+import * as SecureStore from "expo-secure-store";
+import * as WebBrowser from "expo-web-browser";
+import { Platform } from "react-native";
+import { getCookie, getSetCookie } from "./cookie";
+import { CookieHttpClient } from "./cookie-http-client";
+import { NoClientIdProvidedException } from "./exceptions";
+import { NoOrganizationIdProvidedException } from "./exceptions/no-client-id-provided.exception";
+import { HttpClient } from "./http-client";
+import type { CreateClientOptions, User } from "./interfaces";
+import {
+  createPkceChallenge,
+  isRedirectCallback,
+  memoryStorage,
+  storageKeys,
+} from "./utils";
+
+export interface RedirectOptions {
+  provider?: string;
+  context?: string;
+  invitationToken?: string;
+  loginHint?: string;
+  organizationId?: string;
+  passwordResetToken?: string;
+  state?: any;
+  type: "sign-in" | "sign-up";
+}
+
+export class Client {
+  readonly #httpClient: HttpClient | CookieHttpClient;
+  #redirectUri: string;
+
+  constructor(
+    clientId: string,
+    {
+      apiHostname: hostname,
+      https,
+      port,
+      organizationId,
+      redirectUri,
+      devMode,
+    }: CreateClientOptions,
+  ) {
+    if (!clientId) {
+      throw new NoClientIdProvidedException();
+    }
+    if (!organizationId) {
+      throw new NoOrganizationIdProvidedException();
+    }
+
+    // Platform-specific defaults
+    if (Platform.OS === "web") {
+      // --- Web defaults ---
+      redirectUri = redirectUri ?? window.origin;
+      devMode =
+        devMode ??
+        (location.hostname === "localhost" ||
+          location.hostname === "127.0.0.1");
+    } else {
+      // --- Native defaults ---
+      redirectUri = redirectUri ?? "";
+      devMode = devMode ?? false;
+    }
+
+    // Use CookieHttpClient for web (cookie-based), HttpClient for native (token-based)
+    if (Platform.OS === "web") {
+      this.#httpClient = new CookieHttpClient({
+        clientId,
+        hostname,
+        port,
+        organizationId,
+        https,
+      });
+    } else {
+      this.#httpClient = new HttpClient({
+        clientId,
+        hostname,
+        port,
+        organizationId,
+        https,
+      });
+    }
+
+    this.#redirectUri = redirectUri;
+  }
+
+  // ============================================================
+  // Cross-platform methods
+  // ============================================================
+
+  async getAccessToken(): Promise<string | null> {
+    if (Platform.OS === "web") {
+      return this.#getAccessTokenWeb();
+    } else {
+      return this.#getAccessTokenNative();
+    }
+  }
+
+  async getUser(): Promise<User | null> {
+    if (Platform.OS === "web") {
+      return this.#getUserWeb();
+    } else {
+      return this.#getUserNative();
+    }
+  }
+
+  async #redirect(options: RedirectOptions) {
+    if (Platform.OS === "web") {
+      return this.#redirectWeb(options);
+    } else {
+      return this.#redirectNative(options);
+    }
+  }
+
+  async initialize() {
+    const searchParams = new URLSearchParams(window.location.search);
+    if (isRedirectCallback(this.#redirectUri, searchParams)) {
+      await this.#handleCallback();
+    }
+  }
+
+  async signIn(opts: Omit<RedirectOptions, "type"> = {}) {
+    return this.#redirect({ ...opts, type: "sign-in" });
+  }
+
+  async signUp(opts: Omit<RedirectOptions, "type"> = {}) {
+    return this.#redirect({ ...opts, type: "sign-up" });
+  }
+
+  async signOut(options?: { returnTo: string }) {
+    if (Platform.OS === "web") {
+      return this.#signOutWeb(options);
+    } else {
+      return this.#signOutNative(options);
+    }
+  }
+
+  // Native methods
+  async #signOutNative(options?: { returnTo: string }) {
+    const redirectUri =
+      options?.returnTo ||
+      AuthSession.makeRedirectUri({ native: "yboardstarter:" });
+
+    const logoutUrl = await (this.#httpClient as HttpClient).getLogoutUrl({
+      returnTo: redirectUri,
+    });
+
+    if (logoutUrl) {
+      try {
+        const result = await WebBrowser.openAuthSessionAsync(
+          logoutUrl,
+          redirectUri,
+        );
+
+        if (result.type === "success") {
+          await SecureStore.deleteItemAsync("yboard-session");
+        } else {
+          console.warn("User cancelled or dismissed logout:", result.type);
+        }
+      } catch (error) {
+        console.error("Error during sign out:", error);
+      }
+    }
+  }
+
+  async #getAccessTokenNative(): Promise<string | null> {
+    const stored = await SecureStore.getItemAsync("yboard-session");
+    const cookie = getCookie(stored || "{}");
+    const accessToken = await (this.#httpClient as HttpClient).getAccessToken({
+      cookie,
+    });
+    return (accessToken as string) || null;
+  }
+
+  async #getUserNative(): Promise<User | null> {
+    const stored = await SecureStore.getItemAsync("yboard-session");
+    const cookie = getCookie(stored || "{}");
+    const user = await (this.#httpClient as HttpClient).getUser({ cookie });
+    if (!user) {
+      return null;
+    }
+    return user as User;
+  }
+
+  async #redirectNative({
+    context,
+    invitationToken,
+    loginHint,
+    organizationId,
+    passwordResetToken,
+    state,
+  }: RedirectOptions) {
+    const { codeVerifier, codeChallenge } = await createPkceChallenge();
+    memoryStorage.setItem(storageKeys.codeVerifier, codeVerifier);
+
+    const { code } = await (
+      this.#httpClient as HttpClient
+    ).startAuthorizationFlow({
+      codeChallenge,
+      codeChallengeMethod: "S256",
+    });
+
+    if (code) {
+      const cookie = await this.#authenticate({
+        code,
+        codeVerifier,
+      });
+      if (cookie && typeof cookie === "string") {
+        const prev = await SecureStore.getItemAsync("yboard-session");
+        const updated = getSetCookie(cookie, prev || undefined);
+        await SecureStore.setItemAsync("yboard-session", updated);
+      }
+    }
+  }
+
+  async #authenticate({
+    code,
+    codeVerifier,
+  }: {
+    code: string;
+    codeVerifier: string;
+  }): Promise<string | null> {
+    if (typeof codeVerifier !== "string") return null;
+
+    const cookie = await (this.#httpClient as HttpClient).authenticateWithCode({
+      code,
+      codeVerifier: codeVerifier,
+      redirectUri: this.#redirectUri,
+    });
+
+    return cookie;
+  }
+
+  // Web methods
+  async getCookieDomain(origin: string) {
+    const url = new URL(origin);
+    const domainParts = url.hostname.split(".");
+    if (domainParts.length > 1) {
+      return "." + domainParts.slice(-2).join(".");
+    }
+    return url.hostname;
+  }
+
+  async #signOutWeb(options?: { returnTo: string }) {
+    const url = await (this.#httpClient as CookieHttpClient).getLogoutUrl({
+      returnTo: options?.returnTo,
+    });
+
+    if (url) {
+      const domain = await this.getCookieDomain(this.#redirectUri);
+      document.cookie = `yboard-session=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/; domain=${domain}`;
+      window.location.assign(url);
+    }
+  }
+
+  async #getAccessTokenWeb(): Promise<string | null> {
+    const accessToken = await (
+      this.#httpClient as CookieHttpClient
+    ).getAccessToken();
+    return accessToken as string | null;
+  }
+
+  async #getUserWeb(): Promise<User | null> {
+    const user = await (this.#httpClient as CookieHttpClient).getUser();
+    return user as User | null;
+  }
+
+  async #handleCallback() {
+    const cleanUrl = new URL(window.location.toString());
+    cleanUrl.search = "";
+    window.history.replaceState({}, "", cleanUrl);
+  }
+
+  async #redirectWeb({
+    context,
+    invitationToken,
+    loginHint,
+    organizationId,
+    passwordResetToken,
+    state,
+    type,
+    provider,
+  }: RedirectOptions) {
+    const url = await (
+      this.#httpClient as CookieHttpClient
+    ).getAuthorizationUrl({
+      context,
+      invitationToken,
+      loginHint,
+      organizationId,
+      passwordResetToken,
+      redirectUri: this.#redirectUri,
+      state: state ? JSON.stringify(state) : undefined,
+    });
+    window.location.assign(url);
+  }
+}
+
+export async function createClient(
+  clientId: string,
+  options: CreateClientOptions,
+) {
+  const client = new Client(clientId, options);
+
+  // Only initialize for web platform
+  if (Platform.OS === "web") {
+    await client.initialize();
+  }
+
+  return client;
+}

package/src/client/errors.ts

@@ -0,0 +1,6 @@
+export class AuthKitError extends Error {}
+export class RefreshError extends AuthKitError {}
+export class CodeExchangeError extends AuthKitError {}
+export class LoginRequiredError extends AuthKitError {
+  readonly message: string = "No access token available";
+}

package/src/client/exceptions/index.ts

@@ -0,0 +1 @@
+export { NoClientIdProvidedException } from "./no-client-id-provided.exception";

package/src/client/exceptions/no-client-id-provided.exception.ts

@@ -0,0 +1,11 @@
+export class NoClientIdProvidedException extends Error {
+  readonly status: number = 500;
+  readonly name: string = "NoClientIdProvidedException";
+  readonly message: string = `Missing Client ID. Pass it to the constructor (createClient("client_01HXRMBQ9BJ3E7QSTQ9X2PHVB7"))`;
+}
+
+export class NoOrganizationIdProvidedException extends Error {
+  readonly status: number = 500;
+  readonly name: string = "NoOrganizationIdProvidedException";
+  readonly message: string = `Missing Organization ID. Pass it to the constructor`;
+}

package/src/client/globalFetch.ts

@@ -0,0 +1,35 @@
+export const fetchWithOrganizationIdAndCookie = ({
+    baseUrl,
+    organizationId,
+    cookie,
+    path,
+    method,
+    options,
+    body = {},
+}: {
+    baseUrl: string;
+    organizationId: string;
+    cookie?: string;
+    path: string;
+    method: "GET" | "POST" | "PUT" | "DELETE";
+    options?: RequestInit;
+    body?: Record<string, unknown>;
+}) => {
+    const fetchOptions: RequestInit = {
+        method,
+        headers: {
+            "Accept": "application/json, text/plain, */*",
+            "Content-Type": "application/json",
+            "X-Organization-Id": organizationId,
+            "cookie": cookie || "",
+        },
+        credentials: "include",
+        ...options,
+    };
+
+    if (method !== "GET" && body) {
+        fetchOptions.body = JSON.stringify(body);
+    }
+
+    return fetch(`${baseUrl}${path}`, fetchOptions);
+};

package/src/client/http-client.ts

@@ -0,0 +1,209 @@
+import * as AuthSession from "expo-auth-session";
+import * as WebBrowser from "expo-web-browser";
+import { CodeExchangeError } from "./errors";
+import { fetchWithOrganizationIdAndCookie } from "./globalFetch";
+import { User } from "./interfaces";
+
+export class HttpClient {
+  readonly #baseUrl: string;
+  readonly #clientId: string;
+  readonly #organizationId: string;
+
+  constructor({
+    clientId,
+    hostname,
+    port,
+    organizationId,
+    https = true,
+  }: {
+    clientId: string;
+    hostname?: string;
+    organizationId: string;
+    port?: number;
+    https?: boolean;
+  }) {
+    this.#baseUrl = `${https ? "https" : "http"}://${hostname}${port ? `:${port}` : ""}`;
+    this.#clientId = clientId;
+    this.#organizationId = organizationId;
+  }
+
+  #buildAuthUrl({
+    redirectUri,
+    codeChallenge,
+    codeChallengeMethod,
+    clientId,
+    organizationId,
+  }: {
+    redirectUri: string;
+    codeChallenge: string;
+    codeChallengeMethod: string;
+    clientId: string;
+    organizationId: string;
+  }) {
+    const params = new URLSearchParams({
+      response_type: "code",
+      clientId,
+      redirectUri,
+      codeChallenge,
+      codeChallengeMethod,
+      organizationId,
+    });
+
+    return `${this.#baseUrl}/api/user_management/mobile/signIn?${params.toString()}`;
+  }
+
+  async startAuthorizationFlow({
+    codeChallenge,
+    codeChallengeMethod,
+  }: {
+    codeChallenge: string;
+    codeChallengeMethod: "S256";
+  }) {
+    const redirectUri = AuthSession.makeRedirectUri({
+      native: "yboardstarter:",
+    }).toString();
+    const authUrl = this.#buildAuthUrl({
+      redirectUri,
+      codeChallenge,
+      codeChallengeMethod,
+      clientId: this.#clientId,
+      organizationId: this.#organizationId,
+    });
+
+    let code: string | undefined;
+
+    const webResult = await WebBrowser.openAuthSessionAsync(
+      authUrl,
+      redirectUri,
+    );
+
+    switch (webResult.type) {
+      case "success":
+        if (webResult.url) {
+          const urlParts = webResult.url.split("?");
+          if (urlParts.length > 1) {
+            const queryString = urlParts[1];
+            const params = queryString.split("&");
+            for (const param of params) {
+              const [key, value] = param.split("=");
+              if (key === "code") {
+                code = decodeURIComponent(value);
+                break;
+              }
+            }
+          }
+        } else {
+          console.warn("Success result but no URL returned");
+        }
+        break;
+
+      case "cancel":
+        console.warn("User cancelled the auth flow.");
+        throw new Error("Authentication cancelled.");
+
+      case "dismiss":
+        console.warn(
+          "Auth flow was dismissed (possibly due to backgrounding).",
+        );
+        throw new Error("Authentication dismissed.");
+
+      case "locked":
+        console.warn("Another auth session is already in progress.");
+        throw new Error("Authentication session already active.");
+
+      default:
+        console.error("Unhandled web result type:", webResult.type);
+        throw new Error(`Unhandled auth session result: ${webResult.type}`);
+    }
+
+    if (!code) {
+      throw new Error("No authorization code found in redirect URL.");
+    }
+
+    return { code };
+  }
+
+  async authenticateWithCode({
+    code,
+    codeVerifier,
+    redirectUri,
+  }: {
+    code: string;
+    codeVerifier: string;
+    redirectUri: string;
+  }): Promise<string | null> {
+    const response = await fetch(
+      `${this.#baseUrl}/api/user_management/mobile/authenticate`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-Organization-Id": this.#organizationId,
+        },
+        body: JSON.stringify({
+          code,
+          client_id: this.#clientId,
+          grant_type: "authorization_code",
+          code_verifier: codeVerifier,
+          redirect_uri: redirectUri,
+        }),
+      },
+    );
+
+    if (!response.ok) {
+      const error = await response.json();
+      throw new CodeExchangeError(error.error_description);
+    }
+
+    const setCookie = response.headers.get("set-cookie");
+    return setCookie;
+  }
+
+  async getUser({ cookie }: { cookie?: string } = {}) {
+    const response = await fetchWithOrganizationIdAndCookie({
+      baseUrl: this.#baseUrl,
+      organizationId: this.#organizationId,
+      cookie,
+      path: "/api/user_management/mobile/getUser",
+      method: "GET",
+    });
+
+    if (!response.ok) {
+      return null;
+    }
+    const { user } = (await response.json()) as { user: User };
+    return user;
+  }
+
+  async getAccessToken({ cookie }: { cookie?: string } = {}) {
+    const response = await fetchWithOrganizationIdAndCookie({
+      baseUrl: this.#baseUrl,
+      organizationId: this.#organizationId,
+      cookie,
+      path: "/api/user_management/mobile/getAccessToken",
+      method: "GET",
+    });
+
+    const { accessToken } = (await response.json()) as { accessToken: string };
+    return accessToken;
+  }
+
+  async getLogoutUrl({ returnTo }: { returnTo?: string } = {}): Promise<
+    string | null
+  > {
+    const response = await fetch(
+      `${this.#baseUrl}/api/user_management/mobile/getLogOutUrl`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-Organization-Id": this.#organizationId,
+        },
+        body: JSON.stringify({ client_id: this.#clientId, returnTo }),
+      },
+    );
+
+    const { url } = await response.json();
+    return url;
+  }
+}

package/src/client/index.ts

@@ -0,0 +1,6 @@
+export { createClient } from "./create-client";
+export type { RedirectOptions } from "./create-client";
+export { getClaims } from "./utils/session-data";
+export type { User, AuthenticationResponse } from "./interfaces";
+export { AuthKitError, LoginRequiredError } from "./errors";
+export { memoryStorage } from "./utils/memory-storage";

package/src/client/interfaces/authentication-response.interface.ts

@@ -0,0 +1,34 @@
+import type { User, UserRaw } from "./user.interface";
+import type { Impersonator, ImpersonatorRaw } from "./impersonator.interface";
+
+export interface AuthenticationResponse {
+  user: User;
+  accessToken: string;
+  refreshToken: string;
+  organizationId?: string;
+  impersonator?: Impersonator;
+  sealedSession?: string;
+}
+
+export interface AuthenticationResponseWithOrganizationSelection {
+  rawData: {
+    code: string;
+    message: string;
+    pending_authentication_token: string;
+    user: User;
+    organizations: { id: string; name: string }[];
+    requestId: string;
+  }
+  status: number;
+}
+
+export type OnRefreshResponse = Omit<AuthenticationResponse, "refreshToken">;
+
+export interface AuthenticationResponseRaw {
+  user: UserRaw;
+  access_token: string;
+  refresh_token: string;
+  organization_id?: string;
+  impersonator?: ImpersonatorRaw;
+  sealedSession?: string;
+}

package/src/client/interfaces/create-client-options.interface.ts

@@ -0,0 +1,69 @@
+import type {
+  AuthenticationResponse,
+  OnRefreshResponse,
+} from "./authentication-response.interface";
+
+export interface CreateClientOptions {
+  /**
+   * How many seconds before the access token expiration to attempt a refresh.
+   */
+  refreshBufferInterval?: number;
+
+  /**
+   * The API hostname to connect to
+   */
+  apiHostname?: string;
+
+  /**
+   * Whether to use HTTPS (default: true)
+   */
+  https?: boolean;
+
+  /**
+   * The port number to connect to
+   */
+  port?: number;
+
+  /**
+   * The organization ID for authentication
+   */
+  organizationId: string;
+
+  /**
+   * The redirect URI for OAuth flow
+   */
+  redirectUri?: string;
+
+  /**
+   * Whether the app is running in development mode
+   * For web: defaults to true if on localhost or 127.0.0.1
+   * For native: defaults to false
+   */
+  devMode?: boolean;
+
+  /**
+   * Callback to determine if auto-refresh should proceed
+   * For web: defaults to checking if document is not hidden
+   * For native: defaults to always true
+   */
+  onBeforeAutoRefresh?: () => boolean;
+
+  /**
+   * Callback invoked after successful redirect with authentication data
+   */
+  onRedirectCallback?: (params: RedirectParams) => void;
+
+  /**
+   * Callback invoked when a token refresh occurs
+   */
+  onRefresh?: (response: OnRefreshResponse) => void;
+
+  /**
+   * Callback invoked when token refresh fails
+   */
+  onRefreshFailure?: (params: { signIn: () => Promise<void> }) => void;
+}
+
+export interface RedirectParams extends AuthenticationResponse {
+  state: Record<string, any> | null;
+}

package/src/client/interfaces/get-authorization-url-options.interface.ts

@@ -0,0 +1,15 @@
+export interface GetAuthorizationUrlOptions {
+  connectionId?: string;
+  context?: string;
+  organizationId?: string;
+  domainHint?: string;
+  loginHint?: string;
+  provider?: string;
+  redirectUri?: string;
+  state?: string;
+  screenHint?: "sign-up" | "sign-in";
+  invitationToken?: string;
+  passwordResetToken?: string;
+  codeChallenge?: string;
+  codeChallengeMethod?: string;
+}