flowlink-auth 2.7.3 → 2.7.5

package/src/api.js

@@ -0,0 +1,60 @@
+// src/api.js
+import { getConfigSafe, getCSRFToken } from './init.js'
+
+/**
+ * Secure API call wrapper with CSRF protection and validation
+ */
+export const makeApi = () => {
+  const cfg = getConfigSafe()
+  return {
+    call: async (path, opts = {}) => {
+      if (!cfg) {
+        return { status: 400, body: { error: 'flowlink-auth: SDK not initialized (publishable key missing)' } }
+      }
+
+      // Security: Validate path
+      if (!path || typeof path !== 'string') {
+        return { status: 400, body: { error: 'Invalid API path' } }
+      }
+
+      // Security: Prevent open redirect
+      if (path.startsWith('//') || path.startsWith('http')) {
+        return { status: 400, body: { error: 'Invalid API path' } }
+      }
+
+      const headers = {
+        'Content-Type': 'application/json',
+        'x-publishable-key': cfg.publishableKey,
+        ...(opts.headers || {})
+      }
+
+      // Security: Add CSRF token if available
+      const csrfToken = getCSRFToken()
+      if (csrfToken && opts.method && opts.method.toUpperCase() !== 'GET') {
+        headers['x-csrf-token'] = csrfToken
+      }
+
+      try {
+        // Security: Validate URL before fetch
+        const fullUrl = new URL(cfg.baseUrl + path).href
+        
+        const res = await fetch(fullUrl, {
+          ...opts,
+          headers,
+          // Security: Include credentials for cookie-based auth
+          credentials: 'include',
+          // Security: Enforce no referrer for sensitive requests
+          referrerPolicy: 'strict-origin-when-cross-origin'
+        })
+
+        const body = await res.json().catch(() => null)
+        return { status: res.status, body }
+      } catch (err) {
+        // Security: Don't leak error details
+        console.error('API call failed:', err.message)
+        return { status: 500, body: { error: 'Request failed. Please try again.' } }
+      }
+    }
+  }
+}
+

package/src/createAuthMiddleware.js

@@ -0,0 +1,69 @@
+// flowlink-auth/src/createAuthMiddleware.js
+import { NextResponse } from 'next/server'
+import { jwtVerify } from 'jose'
+
+/**
+ * Factory that returns a Next.js middleware function.
+ * - secret: JWT HMAC secret (string)
+ * - redirectTo: where to send unauthenticated users (default '/signin')
+ *
+ * Note: the app's middleware.ts should export the returned function as default
+ * and set `export const config = { matcher: [...] }` for paths to protect.
+ */
+export function createAuthMiddleware({ secret, redirectTo = '/signin', publicPaths = [] } = {}) {
+  if (!secret) {
+    throw new Error('createAuthMiddleware: secret is required')
+  }
+
+  if (secret.length < 32) {
+    console.warn('createAuthMiddleware: secret should be at least 32 characters long for security')
+  }
+
+  return async function middleware(req) {
+    const url = req.nextUrl.clone()
+    const pathname = req.nextUrl.pathname
+
+    // Check if path is public (no auth required)
+    if (publicPaths && publicPaths.some(path => pathname.startsWith(path))) {
+      return NextResponse.next()
+    }
+
+    // 1) Read token from cookie (secure, httpOnly)
+    const token = req.cookies.get?.('flowlink_token')?.value ?? null
+
+    if (!token) {
+      // No token -> redirect to sign-in
+      url.pathname = redirectTo
+      return NextResponse.redirect(url)
+    }
+
+    // 2) Validate token signature & expiry
+    try {
+      // Security: Use jose for secure JWT verification
+      const key = new TextEncoder().encode(secret)
+      const verified = await jwtVerify(token, key, {
+        algorithms: ['HS256'] // Restrict to HS256
+      })
+
+      // 3) Security: Add user info to request headers for downstream services
+      const requestHeaders = new Headers(req.headers)
+      requestHeaders.set('x-user-id', verified.payload.userId || '')
+      requestHeaders.set('x-tenant-id', verified.payload.tenantId || '')
+
+      // token OK -> continue with verified user info
+      return NextResponse.next({
+        request: {
+          headers: requestHeaders
+        }
+      })
+    } catch (err) {
+      // Security: Log failed verification but don't expose details to user
+      console.error('Token verification failed:', err.message)
+
+      // invalid/expired token -> redirect to sign-in
+      url.pathname = redirectTo
+      return NextResponse.redirect(url)
+    }
+  }
+}
+

package/src/index.d.ts

@@ -0,0 +1,15 @@
+import React from "react";
+
+export interface FlowlinkAuthProviderProps {
+  baseUrl: string;
+  publishableKey?: string;
+  children: React.ReactNode;
+  redirect?: string;
+}
+
+export declare function FlowlinkAuthProvider(props: FlowlinkAuthProviderProps): JSX.Element;
+export declare function initFlowlinkAuth(opts: { publishableKey: string; baseUrl: string; opts?: any }): void;
+export declare function SignIn(props?: any): JSX.Element;
+export declare function SignUp(props?: any): JSX.Element;
+export declare function useAuth(): any;
+

package/src/index.js

@@ -0,0 +1,5 @@
+export { default as FlowlinkAuthProvider } from './provider'
+export { default as SignIn } from './SignIn'
+export { default as SignUp } from './SignUp'
+export { useAuth } from './provider'
+

package/src/init.js

@@ -0,0 +1,100 @@
+// src/init.js
+let CONFIG = null
+
+/**
+ * Initialize the SDK globally (alternative to using flowlinkAuthProvider props).
+ * publishableKey: string (required)
+ * baseUrl: string (required)
+ * opts: { requireServerSecret?: boolean, serverSecret?: string } - serverSecret ONLY for dev/testing
+ */
+export function initFlowlinkAuth({ publishableKey, baseUrl, opts } = {}) {
+  if (!publishableKey) throw new Error('flowlink-auth: publishableKey is required in initFlowlinkAuth()')
+  if (!baseUrl) throw new Error('flowlink-auth: baseUrl is required in initFlowlinkAuth()')
+
+  // Security: Validate publishable key format
+  if (!publishableKey.startsWith('pk_')) {
+    console.warn('flowlink-auth: publishableKey should start with "pk_"')
+  }
+
+  // Security: Enforce HTTPS in production
+  if (typeof window !== 'undefined' && window.location.protocol === 'http:' && !baseUrl.includes('localhost')) {
+    console.error('flowlink-auth: HTTPS is required for production. Current protocol:', window.location.protocol)
+  }
+
+  // Security: Validate baseUrl is properly formatted
+  const urlObj = new URL(baseUrl).href
+  if (!urlObj) {
+    throw new Error('flowlink-auth: baseUrl must be a valid URL')
+  }
+
+  CONFIG = {
+    publishableKey,
+    baseUrl: baseUrl.replace(/\/+$/, ''),
+    requireServerSecret: opts?.requireServerSecret || false,
+    secretKey: opts?.serverSecret || null,
+    csrfToken: generateCSRFToken() // Add CSRF protection
+  }
+
+  if (CONFIG.requireServerSecret && !CONFIG.secretKey) {
+    console.warn('flowlink-auth: requireServerSecret=true but serverSecret not provided. This is insecure for production.')
+  }
+  if (CONFIG.secretKey) {
+    console.error('flowlink-auth: secretKey should NEVER be provided to client SDK. Use server-side authentication only.')
+  }
+}
+
+/**
+ * Generate CSRF token for form submissions
+ */
+function generateCSRFToken() {
+  if (typeof window === 'undefined') return null
+  const array = new Uint8Array(32)
+  window.crypto.getRandomValues(array)
+  return Array.from(array, byte => byte.toString(16).padStart(2, '0')).join('')
+}
+
+/**
+ * Called by flowlinkAuthProvider so provider props set the same shared CONFIG.
+ * This allows either initflowlinkAuth(...) or provider props to work.
+ */
+export function setConfigFromProvider({ publishableKey, secretKey = null, baseUrl, opts = {} } = {}) {
+  if (!publishableKey || !baseUrl) {
+    // don't throw here — provider already validates and shows friendly UI
+    CONFIG = null
+    return
+  }
+
+  // Security: Validate HTTPS
+  if (typeof window !== 'undefined' && window.location.protocol === 'http:' && !baseUrl.includes('localhost')) {
+    console.warn('flowlink-auth: HTTPS recommended for production')
+  }
+
+  CONFIG = {
+    publishableKey,
+    baseUrl: baseUrl.replace(/\/+$/, ''),
+    requireServerSecret: opts?.requireServerSecret || false,
+    secretKey: secretKey || null,
+    csrfToken: generateCSRFToken()
+  }
+
+  if (secretKey) {
+    console.error('flowlink-auth: NEVER pass secretKey to client-side code')
+  }
+}
+
+/** Safe getter used by UI components (returns null if not initialized) */
+export function getConfigSafe() {
+  return CONFIG
+}
+
+/** Strict getter used by server helpers (throws if not initialized) */
+export function getConfig() {
+  if (!CONFIG) throw new Error('flowlink-auth: SDK not initialized. Call initFlowlinkAuth(...) or wrap components in FlowlinkAuthProvider with keys.')
+  return CONFIG
+}
+
+/** Get CSRF token for forms */
+export function getCSRFToken() {
+  return CONFIG?.csrfToken || null
+}
+

package/src/provider.js

@@ -0,0 +1,261 @@
+// provider.js
+'use client'
+import React, { createContext, useContext, useEffect, useState, useCallback, useRef } from 'react'
+import { checkSecureContext, validateEmail, getSafeErrorMessage } from './securityUtils.js'
+
+/**
+ * flowlinkAuthProvider (cookie-based)
+ *
+ * - Backend sets HttpOnly cookie (flowlink_token) on login/signup
+ * - Frontend calls /api/sdk/me with credentials:'include' to validate session
+ * - completeLogin() waits for /me and then optionally redirects (replace by default)
+ * - logout() clears client state and calls server logout (if available)
+ * - other tabs are notified via localStorage events (flowlink_login / flowlink_logout)
+ */
+
+const AuthContext = createContext(null)
+
+const FlowlinkAuthProvider = ({ children, publishableKey, baseUrl, redirect }) => {
+  const [ready, setReady] = useState(false)
+  const [error, setError] = useState(null)
+
+  const [user, setUser] = useState(null)
+  const [loadingUser, setLoadingUser] = useState(true)
+  const [sessionTimeout, setSessionTimeout] = useState(null)
+
+  const redirectedRef = useRef(false) // prevent multiple automatic redirects
+  const sessionTimerRef = useRef(null) // track session timeout timer
+
+  // Security: Check HTTPS context
+  useEffect(() => {
+    checkSecureContext()
+  }, [])
+
+  /* Validate config */
+  useEffect(() => {
+    if (!publishableKey || !publishableKey.trim()) {
+      setError('Missing publishable key')
+      setReady(false)
+      return
+    }
+    if (!baseUrl || !baseUrl.trim()) {
+      setError('Missing baseUrl')
+      setReady(false)
+      return
+    }
+
+    // Security: Validate publishable key format
+    if (!publishableKey.startsWith('pk_')) {
+      console.warn('flowlink-auth: publishableKey should start with "pk_"')
+    }
+
+    setError(null)
+    setReady(true)
+  }, [publishableKey, baseUrl])
+
+  const normalizedBase = useCallback(() => {
+    return baseUrl?.replace(/\/+$/, '') || ''
+  }, [baseUrl])
+
+  const redirectTo = (url, { replace = true } = {}) => {
+    if (!url) return
+    if (typeof window === 'undefined') return
+
+    // Security: Validate redirect URL (prevent open redirect)
+    if (url.startsWith('//') || url.startsWith('http')) {
+      console.error('flowlink-auth: Redirect URL must be relative')
+      return
+    }
+
+    try {
+      if (replace) window.location.replace(url)
+      else window.location.assign(url)
+    } catch (_) {
+      window.location.href = url
+    }
+  }
+
+  // Security: Reset session timeout on activity
+  const resetSessionTimeout = useCallback(() => {
+    if (sessionTimerRef.current) {
+      clearTimeout(sessionTimerRef.current)
+    }
+
+    // Set 24-hour session timeout
+    sessionTimerRef.current = setTimeout(() => {
+      setSessionTimeout(true)
+      logout()
+    }, 24 * 60 * 60 * 1000)
+  }, [])
+
+  /* Fetch /api/sdk/me using cookie (HttpOnly token) */
+  const fetchMe = useCallback(async () => {
+    setLoadingUser(true)
+    try {
+      const base = normalizedBase()
+      if (!base) {
+        setUser(null)
+        setLoadingUser(false)
+        return null
+      }
+
+      // Security: Validate URL
+      const fullUrl = new URL(`${base}/api/sdk/me`).href
+
+      const res = await fetch(fullUrl, {
+        method: 'GET',
+        credentials: 'include',
+        headers: {
+          'Content-Type': 'application/json'
+        },
+        referrerPolicy: 'strict-origin-when-cross-origin'
+      })
+
+      if (!res.ok) {
+        setUser(null)
+        setLoadingUser(false)
+        return null
+      }
+
+      const data = await res.json()
+      const u = data?.user ?? null
+      setUser(u)
+      setLoadingUser(false)
+
+      // Reset session timeout on successful fetch
+      resetSessionTimeout()
+
+      return u
+    } catch (err) {
+      console.error('Failed to fetch user:', getSafeErrorMessage(err))
+      setUser(null)
+      setLoadingUser(false)
+      return null
+    }
+  }, [normalizedBase, resetSessionTimeout])
+
+  /* Initial bootstrap + storage listener (to sync across tabs) */
+  useEffect(() => {
+    if (!ready) return
+    fetchMe()
+
+    const onStorage = (e) => {
+      if (!e.key) return
+      if (e.key === 'flowlink_login' || e.key === 'flowlink_logout') {
+        // revalidate session when other tab signals a change
+        fetchMe()
+      }
+    }
+
+    if (typeof window !== 'undefined') {
+      window.addEventListener('storage', onStorage)
+    }
+    return () => {
+      if (typeof window !== 'undefined') {
+        window.removeEventListener('storage', onStorage)
+      }
+    }
+  }, [ready, fetchMe])
+
+  /**
+   * Auto-redirect when user becomes authenticated.
+   * Runs once per mount when loadingUser turns false and user exists.
+   */
+  useEffect(() => {
+    if (!ready) return
+    if (loadingUser) return
+    if (!user) {
+      redirectedRef.current = false // reset flag when logged out
+      return
+    }
+    if (user && redirect && !redirectedRef.current) {
+      redirectedRef.current = true
+      redirectTo(redirect, { replace: true })
+    }
+  }, [ready, loadingUser, user, redirect])
+
+  /**
+   * completeLogin(opts)
+   * - call after server login/signup that sets HttpOnly cookie
+   * - will re-fetch /me, notify other tabs, and optionally redirect
+   * opts:
+   *   - redirectTo: URL to navigate after successful validation (overrides provider redirect)
+   *   - replace: boolean (default true)
+   */
+  const completeLogin = useCallback(async (opts = {}) => {
+    const { redirectTo: redirectUrl, replace = true } = opts
+    const u = await fetchMe()
+    // notify other tabs
+    try { localStorage.setItem('flowlink_login', String(Date.now())) } catch (_) {}
+    // only redirect if we have a valid user
+    const dest = redirectUrl ?? redirect
+    if (u && dest) {
+      redirectTo(dest, { replace })
+    }
+    return u
+  }, [fetchMe, redirect])
+
+  /**
+   * logout(opts)
+   * - callServer: whether to call /api/sdk/logout (default true)
+   * - redirectTo: optional URL to go to after logout (overrides provider redirect)
+   */
+  const logout = useCallback(async (opts = {}) => {
+    const { callServer = true, redirectTo: redirectUrl, replace = true } = opts
+    const base = normalizedBase()
+
+    if (callServer && base) {
+      try {
+        await fetch(`${base}/api/sdk/logout`, {
+          method: 'POST',
+          credentials: 'include',
+          headers: { 'Content-Type': 'application/json' }
+        })
+      } catch (_) {
+        // ignore server errors; proceed to client cleanup
+      }
+    }
+
+    setUser(null)
+    try { localStorage.setItem('flowlink_logout', String(Date.now())) } catch (_) {}
+
+    const dest = redirectUrl ?? redirect
+    if (dest) redirectTo(dest, { replace })
+  }, [normalizedBase, redirect])
+
+  /* Provide context value */
+  const value = {
+    publishableKey,
+    baseUrl,
+    redirectTo: (url, opts) => redirectTo(url, opts),
+    user,
+    setUser,
+    loadingUser,
+    fetchMe,
+    logout,
+    completeLogin
+  }
+
+  return (
+    <AuthContext.Provider value={value}>
+      {error ? (
+        <div style={{ padding:'20px', background:'#220000', color:'white' }}>
+          <h2>flowlink Auth Error</h2>
+          <p>{error}</p>
+        </div>
+      ) : !ready ? null : (
+        children
+      )}
+    </AuthContext.Provider>
+  )
+}
+
+const useAuth = () => {
+  const ctx = useContext(AuthContext)
+  if (!ctx) throw new Error('useAuth must be used within FlowlinkAuthProvider')
+  return ctx
+}
+
+export default FlowlinkAuthProvider
+export { useAuth }
+

package/src/securityUtils.js

@@ -0,0 +1,151 @@
+// src/securityUtils.js
+/**
+ * Security utilities for flowlink-auth SDK
+ */
+
+/**
+ * Sanitize user input to prevent XSS
+ */
+export function sanitizeInput(input) {
+  if (typeof input !== 'string') return input
+
+  const div = document.createElement('div')
+  div.textContent = input
+  return div.innerHTML
+}
+
+/**
+ * Validate email format
+ */
+export function validateEmail(email) {
+  if (typeof email !== 'string') return false
+  const regex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/
+  return regex.test(email) && email.length <= 255
+}
+
+/**
+ * Validate password strength
+ */
+export function validatePasswordStrength(password) {
+  if (typeof password !== 'string') return false
+  if (password.length < 12) return false
+
+  const hasUpper = /[A-Z]/.test(password)
+  const hasLower = /[a-z]/.test(password)
+  const hasNumber = /[0-9]/.test(password)
+  const hasSpecial = /[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(password)
+
+  return hasUpper && hasLower && hasNumber && hasSpecial
+}
+
+/**
+ * Get password strength feedback
+ */
+export function getPasswordFeedback(password) {
+  const feedback = []
+
+  if (password.length < 12) {
+    feedback.push('At least 12 characters')
+  }
+  if (!/[A-Z]/.test(password)) {
+    feedback.push('One uppercase letter')
+  }
+  if (!/[a-z]/.test(password)) {
+    feedback.push('One lowercase letter')
+  }
+  if (!/[0-9]/.test(password)) {
+    feedback.push('One number')
+  }
+  if (!/[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(password)) {
+    feedback.push('One special character')
+  }
+
+  return feedback
+}
+
+/**
+ * Check if running on HTTPS (except localhost)
+ */
+export function isSecureContext() {
+  if (typeof window === 'undefined') return true
+
+  const isLocalhost = window.location.hostname === 'localhost' ||
+    window.location.hostname === '127.0.0.1' ||
+    window.location.hostname === '[::1]'
+
+  const isHttps = window.location.protocol === 'https:'
+
+  return isHttps || isLocalhost
+}
+
+/**
+ * Warn if not on HTTPS in production
+ */
+export function checkSecureContext() {
+  if (!isSecureContext()) {
+    console.warn(
+      'flowlink-auth: HTTPS is required for production. ' +
+      'Your connection is not secure. Authentication may fail.'
+    )
+  }
+}
+
+/**
+ * Safe error message handler (don't leak sensitive info)
+ */
+export function getSafeErrorMessage(error) {
+  if (typeof error === 'string') {
+    // Check for sensitive keywords
+    if (error.includes('password') || error.includes('token') || error.includes('secret')) {
+      return 'An error occurred. Please try again.'
+    }
+    return error
+  }
+
+  if (error?.message) {
+    return getSafeErrorMessage(error.message)
+  }
+
+  return 'An error occurred. Please try again.'
+}
+
+/**
+ * Generate nonce for CSP
+ */
+export function generateNonce() {
+  const array = new Uint8Array(16)
+  if (typeof window !== 'undefined' && window.crypto) {
+    window.crypto.getRandomValues(array)
+  }
+  return Array.from(array, byte => byte.toString(16).padStart(2, '0')).join('')
+}
+
+/**
+ * Validate origin matches expected domain
+ */
+export function validateOrigin(expectedOrigin) {
+  if (typeof window === 'undefined') return true
+
+  const currentOrigin = window.location.origin
+
+  return currentOrigin === expectedOrigin
+}
+
+/**
+ * Check for XSS vulnerabilities in stored data
+ */
+export function hasXSSPatterns(input) {
+  if (typeof input !== 'string') return false
+
+  const xssPatterns = [
+    /<script[^>]*>.*?<\/script>/gi,
+    /javascript:/gi,
+    /on\w+\s*=/gi,
+    /<iframe/gi,
+    /<object/gi,
+    /<embed/gi
+  ]
+
+  return xssPatterns.some(pattern => pattern.test(input))
+}
+

package/src/useAuth.js

@@ -0,0 +1,13 @@
+// 'use client'
+import { useAuth } from './provider.js'
+import { checkSecureContext } from './securityUtils.js'
+
+// Check security context on module load
+if (typeof window !== 'undefined') {
+  checkSecureContext()
+}
+
+// Just re-export the hook from provider.js
+export { useAuth }
+
+