prividium 0.0.1-beta

package/README.md

@@ -0,0 +1,327 @@
+# Prividium SDK
+
+A TypeScript SDK for integrating with Prividium's authorization system, providing seamless authentication and secure RPC
+communication for blockchain applications.
+
+## Features
+
+- 🔐 **Popup-based OAuth Authentication** - Secure authentication flow using popup windows
+- 🔑 **JWT Token Management** - Automatic token storage, validation, and expiration handling
+- 🌐 **Viem Integration** - Drop-in transport for viem clients with automatic auth headers
+
+## Installation
+
+```bash
+npm install prividium
+```
+
+## Quick Start
+
+### 1. Create a Prividium Chain
+
+```typescript
+import { createPrividiumChain } from 'prividium';
+import { defineChain, createPublicClient, http } from 'viem';
+
+// Define your chain
+const prividiumChain = defineChain({
+  id: 7777,
+  name: 'Prividium Chain',
+  nativeCurrency: { name: 'Ether', symbol: 'ETH', decimals: 18 },
+  rpcUrls: { default: { http: [] } },
+  blockExplorers: { default: { name: 'Explorer', url: 'https://explorer.prividium.io' } }
+});
+
+// Create SDK instance
+const prividium = createPrividiumChain({
+  clientId: 'your-client-id',
+  chain: prividiumChain,
+  rpcUrl: 'https://rpc.prividium.io',
+  authBaseUrl: 'https://auth.prividium.io',
+  redirectUrl: window.location.origin + '/auth/callback',
+  onAuthExpiry: () => {
+    console.log('Authentication expired - please reconnect');
+  }
+});
+```
+
+### 2. Create Viem Client
+
+```typescript
+// The SDK provides a pre-configured transport with automatic auth headers
+const client = createPublicClient({
+  chain: prividium.chain,
+  transport: prividium.transport // ✨ Auth headers are automatically included!
+});
+```
+
+### 3. Authenticate and Use
+
+```typescript
+// Check if already authenticated
+if (!prividium.isAuthorized()) {
+  // Trigger authentication popup
+  await prividium.authorize();
+}
+
+// Now you can make authenticated RPC calls
+const balance = await client.getBalance({
+  address: '0x...'
+});
+```
+
+### 4. Setup OAuth Callback Page
+
+The SDK requires a callback page to complete the authentication flow securely using `postMessage`. Create a callback
+page at the `redirectUrl` you configured:
+
+**Example: `public/auth/callback.html`**
+
+```html
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Authentication Callback</title>
+    <script type="module">
+      import { handleAuthCallback } from '@repo/prividium-sdk';
+
+      // Handle the callback - this will post the token back to the parent window
+      handleAuthCallback((error) => {
+        console.error('Auth callback error:', error);
+      });
+    </script>
+  </head>
+  <body>
+    <div
+      style="display: flex; align-items: center; justify-content: center; min-height: 100vh; font-family: sans-serif;"
+    >
+      <p>Completing authentication...</p>
+    </div>
+  </body>
+</html>
+```
+
+**How it works:**
+
+1. User clicks "Login" → SDK opens popup to Prividium user panel
+2. User authenticates → user panel redirects popup to your callback page
+3. Callback page calls `handleAuthCallback()` → token is posted back to parent via `postMessage`
+4. SDK receives token, validates state parameter (CSRF protection), and closes popup
+5. Your app is now authenticated
+
+**Note:**
+
+- The callback page must be hosted on the same origin as your main application that initiates the auth flow.
+
+## API Reference
+
+### `createPrividiumChain(config)`
+
+Creates a new Prividium SDK instance.
+
+**Parameters:**
+
+```typescript
+interface PrividiumConfig {
+  clientId: string; // OAuth client ID
+  chain: Chain; // Viem chain configuration (without rpcUrls)
+  rpcUrl: string; // Private RPC endpoint URL
+  authBaseUrl: string; // Authorization service base URL
+  redirectUrl: string; // OAuth redirect URL
+  storage?: Storage; // Custom storage implementation (optional)
+  onAuthExpiry?: () => void; // Called when authentication expires (optional)
+}
+```
+
+**Returns:** `PrividiumChain`
+
+### PrividiumChain Methods
+
+#### `authorize(options?)`
+
+Opens authentication popup and handles OAuth flow.
+
+```typescript
+await prividium.authorize({
+  popupSize: { w: 600, h: 700 } // Optional custom popup dimensions
+});
+```
+
+**Returns:** `Promise<string>` - JWT token
+
+#### `unauthorize()`
+
+Clears authentication state and tokens.
+
+```typescript
+prividium.unauthorize();
+```
+
+#### `isAuthorized()`
+
+Checks if user is currently authenticated with valid token.
+
+```typescript
+const authenticated = prividium.isAuthorized();
+```
+
+**Returns:** `boolean`
+
+#### `getAuthHeaders()`
+
+Gets current authentication headers for manual use.
+
+```typescript
+const headers = prividium.getAuthHeaders();
+// Returns: { Authorization: 'Bearer <token>' } | null
+```
+
+**Returns:** `Record<string, string> | null`
+
+### `handleAuthCallback(onError?)`
+
+Handles the OAuth callback on the redirect page. Call this function from your callback page to complete the
+authentication flow.
+
+```typescript
+import { handleAuthCallback } from '@repo/prividium-sdk';
+
+handleAuthCallback((error) => {
+  // Optional: Handle errors (e.g., display error message to user)
+  console.error('Auth callback error:', error);
+});
+```
+
+**Parameters:**
+
+- `onError?: (error: string) => void` - Optional callback to handle errors
+
+**Behavior:**
+
+- Extracts token and state from URL hash fragment
+- Posts message to parent window via `postMessage`
+- Automatically closes popup window on success
+- Calls `onError` if any errors occur
+
+## Advanced Usage
+
+### Custom Storage
+
+Implement custom storage for different environments:
+
+```typescript
+class CustomStorage implements Storage {
+  getItem(key: string): string | null {
+    // Your implementation
+  }
+
+  setItem(key: string, value: string): void {
+    // Your implementation
+  }
+
+  removeItem(key: string): void {
+    // Your implementation
+  }
+}
+
+const prividium = createPrividiumChain({
+  // ... other config
+  storage: new CustomStorage()
+});
+```
+
+### Multiple Chains
+
+Support multiple Prividium chains:
+
+```typescript
+const testnetPrividium = createPrividiumChain({
+  clientId: 'your-testnet-client-id',
+  chain: testnetChain,
+  rpcUrl: 'https://testnet-rpc.prividium.io',
+  authBaseUrl: 'https://testnet-auth.prividium.io',
+  redirectUrl: window.location.origin + '/auth/callback'
+});
+
+const mainnetPrividium = createPrividiumChain({
+  clientId: 'your-mainnet-client-id',
+  chain: mainnetChain,
+  rpcUrl: 'https://mainnet-rpc.prividium.io',
+  authBaseUrl: 'https://mainnet-auth.prividium.io',
+  redirectUrl: window.location.origin + '/auth/callback'
+});
+```
+
+### Error Handling
+
+Handle authentication errors gracefully:
+
+```typescript
+try {
+  await prividium.authorize();
+} catch (error) {
+  if (error.message.includes('cancelled')) {
+    console.log('User cancelled authentication');
+  } else {
+    console.error('Authentication failed:', error);
+  }
+}
+```
+
+### Manual HTTP Requests
+
+Use authentication headers with custom HTTP requests:
+
+```typescript
+const headers = prividium.getAuthHeaders();
+if (headers) {
+  const response = await fetch('/api/protected', {
+    headers: {
+      ...headers,
+      'Content-Type': 'application/json'
+    }
+  });
+}
+```
+
+## Storage Keys
+
+The SDK uses the following localStorage keys:
+
+- `prividium_jwt_<chainId>` - JWT token storage
+- `prividium_auth_state_<chainId>` - OAuth state parameter
+
+## Security Considerations
+
+1. **Token Storage**: Tokens are stored in localStorage by default. Consider custom storage for sensitive applications.
+
+2. **CSRF Protection**: OAuth state parameter provides CSRF protection during authentication flow.
+
+3. **Token Expiration**: SDK automatically validates token expiration and clears expired tokens.
+
+4. **Origin Validation**: Popup messages are validated against the configured auth origin.
+
+## Development
+
+### Building
+
+```bash
+npm run build
+```
+
+### Testing
+
+```bash
+npm test
+```
+
+### Linting
+
+```bash
+npm run lint
+npm run lint:fix
+```
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,6 @@
+export { createPrividiumChain } from './prividium-chain.js';
+export type { PrividiumConfig, PrividiumChain, PopupOptions, Storage, TokenData, UserProfile, UserRole } from './types.js';
+export { AUTH_ERRORS, STORAGE_KEYS } from './types.js';
+export { LocalStorage, TokenManager } from './storage.js';
+export { parseToken, isTokenExpired, generateRandomState } from './token-utils.js';
+export { PopupAuth, handleAuthCallback, type AuthCallbackMessage } from './popup-auth.js';

package/dist/index.js

@@ -0,0 +1,5 @@
+export { createPrividiumChain } from './prividium-chain.js';
+export { AUTH_ERRORS, STORAGE_KEYS } from './types.js';
+export { LocalStorage, TokenManager } from './storage.js';
+export { parseToken, isTokenExpired, generateRandomState } from './token-utils.js';
+export { PopupAuth, handleAuthCallback } from './popup-auth.js';

package/dist/popup-auth.d.ts

@@ -0,0 +1,38 @@
+import { type PopupOptions } from './types.js';
+import { type TokenManager } from './storage.js';
+export type OauthScope = 'wallet:required';
+export interface PopupAuthConfig {
+    authBaseUrl: string;
+    clientId: string;
+    redirectUri: string;
+    tokenManager: TokenManager;
+    onAuthExpiry?: () => void;
+    scope?: OauthScope[];
+}
+export declare class PopupAuth {
+    private config;
+    constructor(config: PopupAuthConfig);
+    authorize(options?: PopupOptions): Promise<string>;
+    private buildAuthUrl;
+    private openPopup;
+    unauthorize(): void;
+    isAuthorized(): boolean;
+}
+/**
+ * Interface for auth callback message posted to parent window
+ */
+export interface AuthCallbackMessage {
+    type: 'prividium-auth-callback';
+    token?: string;
+    state?: string;
+    error?: string;
+}
+/**
+ * Handles the authentication callback on the redirect page.
+ * This function should be called from the callback page that the user is redirected to
+ * after authentication. It extracts the token and state from the URL hash and posts
+ * them back to the opener window using postMessage.
+ *
+ * @param onError - Optional callback to handle errors (e.g., display error message to user)
+ */
+export declare function handleAuthCallback(onError?: (error: string) => void): void;

package/dist/popup-auth.js

@@ -0,0 +1,203 @@
+import { AUTH_ERRORS } from './types.js';
+import { generateRandomState } from './token-utils.js';
+export class PopupAuth {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    async authorize(options = {}) {
+        const { popupSize = { w: 500, h: 600 } } = options;
+        const state = generateRandomState();
+        this.config.tokenManager.setState(state);
+        const authUrl = this.buildAuthUrl(state);
+        const popup = this.openPopup(authUrl, popupSize);
+        return new Promise((resolve, reject) => {
+            const TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
+            let checkInterval = null;
+            let timeoutId = null;
+            const cleanup = () => {
+                if (checkInterval) {
+                    clearInterval(checkInterval);
+                    checkInterval = null;
+                }
+                if (timeoutId) {
+                    clearTimeout(timeoutId);
+                    timeoutId = null;
+                }
+                window.removeEventListener('message', messageHandler);
+            };
+            const messageHandler = (event) => {
+                // Validate message type
+                if (!event.data || event.data.type !== 'prividium-auth-callback') {
+                    return;
+                }
+                // Validate origin matches redirect URI origin
+                const redirectUrl = new URL(this.config.redirectUri);
+                if (event.origin !== redirectUrl.origin) {
+                    console.warn(`Received message from unexpected origin: ${event.origin}`);
+                    return;
+                }
+                // Handle error from callback
+                if (event.data.error) {
+                    popup.close();
+                    cleanup();
+                    this.config.tokenManager.clearState();
+                    this.config.tokenManager.clearToken();
+                    reject(new Error(event.data.error));
+                    return;
+                }
+                const { token, state: receivedState } = event.data;
+                // Validate state
+                if (!receivedState) {
+                    popup.close();
+                    cleanup();
+                    this.config.tokenManager.clearState();
+                    reject(new Error(AUTH_ERRORS.INVALID_STATE));
+                    return;
+                }
+                if (receivedState !== state) {
+                    popup.close();
+                    cleanup();
+                    this.config.tokenManager.clearState();
+                    reject(new Error(AUTH_ERRORS.INVALID_STATE));
+                    return;
+                }
+                // Validate token
+                if (!token) {
+                    popup.close();
+                    cleanup();
+                    this.config.tokenManager.clearState();
+                    reject(new Error(AUTH_ERRORS.NO_TOKEN));
+                    return;
+                }
+                // Success - store token and resolve
+                try {
+                    const tokenData = this.config.tokenManager.setToken(token);
+                    this.config.tokenManager.clearState();
+                    popup.close();
+                    cleanup();
+                    resolve(tokenData.rawToken);
+                }
+                catch (error) {
+                    popup.close();
+                    cleanup();
+                    this.config.tokenManager.clearState();
+                    this.config.tokenManager.clearToken();
+                    // eslint-disable-next-line @typescript-eslint/prefer-promise-reject-errors
+                    reject(error);
+                }
+            };
+            // Listen for postMessage from callback page
+            window.addEventListener('message', messageHandler);
+            // Check if popup is closed (user cancelled)
+            checkInterval = setInterval(() => {
+                if (popup.closed) {
+                    cleanup();
+                    this.config.tokenManager.clearState();
+                    reject(new Error('Authentication was cancelled'));
+                }
+            }, 500);
+            // Set timeout for authentication
+            timeoutId = setTimeout(() => {
+                if (!popup.closed) {
+                    popup.close();
+                }
+                cleanup();
+                this.config.tokenManager.clearState();
+                reject(new Error('Authentication timeout'));
+            }, TIMEOUT_MS);
+        });
+    }
+    buildAuthUrl(state) {
+        const url = new URL('/auth/authorize', this.config.authBaseUrl);
+        url.searchParams.set('client_id', this.config.clientId);
+        url.searchParams.set('redirect_uri', this.config.redirectUri);
+        url.searchParams.set('state', state);
+        url.searchParams.set('response_type', 'token');
+        if (this.config.scope?.length) {
+            for (const scope of this.config.scope) {
+                url.searchParams.append('scope', scope);
+            }
+        }
+        return url.toString();
+    }
+    openPopup(url, size) {
+        const left = window.screen.width / 2 - size.w / 2;
+        const top = window.screen.height / 2 - size.h / 2;
+        // Note: We intentionally do NOT use 'noopener' here because:
+        // 1. The callback page needs window.opener to post messages back
+        // 2. We validate message origin strictly in the message handler
+        // 3. The auth flow goes through trusted domains (user-panel -> callback page)
+        // This is the standard approach for OAuth2 popup flows
+        const popup = window.open(url, 'prividium-auth', `scrollbars=yes,resizable=yes,status=yes,location=yes,toolbar=no,menubar=no,width=${size.w},height=${size.h},top=${top},left=${left}`);
+        if (!popup) {
+            throw new Error('Failed to open popup. Please allow popups for this site.');
+        }
+        return popup;
+    }
+    unauthorize() {
+        this.config.tokenManager.clearToken();
+        this.config.tokenManager.clearState();
+    }
+    isAuthorized() {
+        return this.config.tokenManager.isAuthorized();
+    }
+}
+/**
+ * Handles the authentication callback on the redirect page.
+ * This function should be called from the callback page that the user is redirected to
+ * after authentication. It extracts the token and state from the URL hash and posts
+ * them back to the opener window using postMessage.
+ *
+ * @param onError - Optional callback to handle errors (e.g., display error message to user)
+ */
+export function handleAuthCallback(onError) {
+    try {
+        // Check if window.opener exists
+        if (!window.opener) {
+            const error = 'No opener window found. This page must be opened from the authentication popup.';
+            onError?.(error);
+            return;
+        }
+        // Post only to current for secure postMessage
+        const origin = window.origin;
+        // Parse hash parameters
+        const hash = window.location.hash.replace(/^#/, '');
+        const params = new URLSearchParams(hash);
+        const token = params.get('token');
+        const state = params.get('state');
+        if (!token) {
+            const message = {
+                type: 'prividium-auth-callback',
+                error: AUTH_ERRORS.NO_TOKEN
+            };
+            window.opener.postMessage(message, origin);
+            onError?.(AUTH_ERRORS.NO_TOKEN);
+            return;
+        }
+        if (!state) {
+            const message = {
+                type: 'prividium-auth-callback',
+                error: AUTH_ERRORS.NO_RECEIVED_STATE
+            };
+            window.opener.postMessage(message, origin);
+            onError?.(AUTH_ERRORS.NO_RECEIVED_STATE);
+            return;
+        }
+        // Post success message to opener
+        const message = {
+            type: 'prividium-auth-callback',
+            token: decodeURIComponent(token),
+            state
+        };
+        window.opener.postMessage(message, origin);
+        // Close the window after a short delay to ensure message is sent
+        setTimeout(() => {
+            window.close();
+        }, 100);
+    }
+    catch (error) {
+        const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
+        onError?.(errorMessage);
+    }
+}

package/dist/prividium-chain.d.ts

@@ -0,0 +1,2 @@
+import { type PrividiumConfig, type PrividiumChain } from './types.js';
+export declare function createPrividiumChain(config: PrividiumConfig): PrividiumChain;

package/dist/prividium-chain.js

@@ -0,0 +1,98 @@
+import { http } from 'viem';
+import { chainConfig } from 'viem/zksync';
+import { LocalStorage, TokenManager } from './storage.js';
+import { PopupAuth } from './popup-auth.js';
+export function createPrividiumChain(config) {
+    const storage = config.storage || new LocalStorage();
+    const tokenManager = new TokenManager(storage, config.chain.id);
+    const popupAuth = new PopupAuth({
+        clientId: config.clientId,
+        authBaseUrl: config.authBaseUrl,
+        redirectUri: config.redirectUrl,
+        scope: config.scope,
+        tokenManager,
+        onAuthExpiry: config.onAuthExpiry
+    });
+    const getAuthHeaders = () => {
+        const token = tokenManager.getToken();
+        if (token) {
+            return {
+                Authorization: `Bearer ${token.rawToken}`
+            };
+        }
+        return null;
+    };
+    // Create transport with auth integration using viem callbacks
+    const transport = http(config.rpcUrl, {
+        batch: false,
+        fetchOptions: {
+            headers: getAuthHeaders() || {}
+        },
+        onFetchRequest(_request, init) {
+            init.headers = {
+                ...init.headers,
+                ...getAuthHeaders()
+            };
+        },
+        onFetchResponse: (response) => {
+            // Handle 403 responses (expired token or no access)
+            if (response.status === 403) {
+                tokenManager.clearToken();
+                config.onAuthExpiry?.();
+            }
+        }
+    });
+    return {
+        chain: {
+            ...chainConfig,
+            ...config.chain,
+            contracts: {
+                ...chainConfig.contracts,
+                ...config.chain.contracts,
+                multicall3: undefined // Prividium doesn't support multicall yet
+            },
+            rpcUrls: { default: { http: [config.rpcUrl] } }
+        },
+        transport,
+        async authorize(options) {
+            return popupAuth.authorize(options);
+        },
+        unauthorize() {
+            popupAuth.unauthorize();
+        },
+        isAuthorized() {
+            return popupAuth.isAuthorized();
+        },
+        getAuthHeaders,
+        async fetchUser() {
+            const headers = getAuthHeaders();
+            if (!headers) {
+                throw new Error('Authentication required. Please call authorize() first.');
+            }
+            const response = await fetch(`${config.permissionsApiBaseUrl}/api/profiles/me`, {
+                method: 'GET',
+                headers: {
+                    'Content-Type': 'application/json',
+                    ...headers
+                }
+            });
+            if (response.status === 403) {
+                tokenManager.clearToken();
+                config.onAuthExpiry?.();
+                throw new Error('Authentication required. Please call authorize() first.');
+            }
+            if (!response.ok) {
+                throw new Error(`Failed to fetch user profile: ${response.status} ${response.statusText}`);
+            }
+            const userData = (await response.json());
+            return {
+                userId: userData.userId,
+                createdAt: new Date(userData.createdAt),
+                displayName: userData.displayName,
+                updatedAt: new Date(userData.updatedAt),
+                roles: userData.roles,
+                walletAddresses: userData.walletAddresses
+            };
+        }
+    };
+}

package/dist/storage.d.ts

@@ -0,0 +1,21 @@
+import { type Storage, type TokenData } from './types.js';
+export declare class LocalStorage implements Storage {
+    getItem(key: string): string | null;
+    setItem(key: string, value: string): void;
+    removeItem(key: string): void;
+}
+export declare class TokenManager {
+    private storage;
+    private chainId;
+    private tokenCache;
+    constructor(storage: Storage, chainId: number);
+    private get tokenKey();
+    private get stateKey();
+    getToken(): TokenData | null;
+    setToken(rawToken: string): TokenData;
+    clearToken(): void;
+    isAuthorized(): boolean;
+    setState(state: string): void;
+    getState(): string | null;
+    clearState(): void;
+}

package/dist/storage.js

@@ -0,0 +1,82 @@
+import { STORAGE_KEYS } from './types.js';
+import { parseToken, isTokenExpired } from './token-utils.js';
+export class LocalStorage {
+    getItem(key) {
+        if (typeof localStorage === 'undefined') {
+            return null;
+        }
+        return localStorage.getItem(key);
+    }
+    setItem(key, value) {
+        if (typeof localStorage !== 'undefined') {
+            localStorage.setItem(key, value);
+        }
+    }
+    removeItem(key) {
+        if (typeof localStorage !== 'undefined') {
+            localStorage.removeItem(key);
+        }
+    }
+}
+export class TokenManager {
+    storage;
+    chainId;
+    tokenCache = null;
+    constructor(storage, chainId) {
+        this.storage = storage;
+        this.chainId = chainId;
+    }
+    get tokenKey() {
+        return `${STORAGE_KEYS.TOKEN_PREFIX}${this.chainId}`;
+    }
+    get stateKey() {
+        return `${STORAGE_KEYS.STATE_PREFIX}${this.chainId}`;
+    }
+    getToken() {
+        if (this.tokenCache && !isTokenExpired(this.tokenCache)) {
+            return this.tokenCache;
+        }
+        const rawToken = this.storage.getItem(this.tokenKey);
+        if (!rawToken) {
+            this.tokenCache = null;
+            return null;
+        }
+        try {
+            this.tokenCache = parseToken(rawToken);
+            return this.tokenCache;
+        }
+        catch {
+            this.clearToken();
+            return null;
+        }
+    }
+    setToken(rawToken) {
+        try {
+            const tokenData = parseToken(rawToken);
+            this.storage.setItem(this.tokenKey, rawToken);
+            this.tokenCache = tokenData;
+            return tokenData;
+        }
+        catch (error) {
+            this.clearToken();
+            throw error;
+        }
+    }
+    clearToken() {
+        this.storage.removeItem(this.tokenKey);
+        this.tokenCache = null;
+    }
+    isAuthorized() {
+        const token = this.getToken();
+        return token !== null && !isTokenExpired(token);
+    }
+    setState(state) {
+        this.storage.setItem(this.stateKey, state);
+    }
+    getState() {
+        return this.storage.getItem(this.stateKey);
+    }
+    clearState() {
+        this.storage.removeItem(this.stateKey);
+    }
+}

package/dist/token-utils.d.ts

@@ -0,0 +1,4 @@
+import { type TokenData } from './types.js';
+export declare function parseToken(rawToken: string): TokenData;
+export declare function isTokenExpired(tokenData: TokenData): boolean;
+export declare function generateRandomState(): string;

package/dist/token-utils.js

@@ -0,0 +1,55 @@
+import { z } from 'zod';
+import { AUTH_ERRORS } from './types.js';
+const tokenSchema = z.object({
+    exp: z.coerce.number().int(),
+    sub: z.string().min(1),
+    preferred_username: z.string().optional()
+});
+function base64UrlDecode(str) {
+    const base64Encoded = str.replace(/-/g, '+').replace(/_/g, '/');
+    const padding = str.length % 4 === 0 ? '' : '='.repeat(4 - (str.length % 4));
+    const base64WithPadding = base64Encoded + padding;
+    return atob(base64WithPadding)
+        .split('')
+        .map((char) => String.fromCharCode(char.charCodeAt(0)))
+        .join('');
+}
+export function parseToken(rawToken) {
+    const parts = rawToken.split('.');
+    if (parts.length < 3) {
+        throw new Error(AUTH_ERRORS.INVALID_JWT);
+    }
+    let parsed;
+    try {
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+        parsed = JSON.parse(base64UrlDecode(parts[1]));
+    }
+    catch (e) {
+        if (!(e instanceof SyntaxError)) {
+            console.error(e);
+        }
+        throw new Error(AUTH_ERRORS.INVALID_JWT);
+    }
+    const validated = tokenSchema.safeParse(parsed);
+    if (!validated.success) {
+        throw new Error(`Invalid JWT body format: ${validated.error.message}`);
+    }
+    const expirationDate = new Date(validated.data.exp * 1000);
+    if (expirationDate <= new Date()) {
+        throw new Error(AUTH_ERRORS.EXPIRED_TOKEN);
+    }
+    return {
+        rawToken,
+        expirationDate,
+        sub: validated.data.sub,
+        preferred_username: validated.data.preferred_username
+    };
+}
+export function isTokenExpired(tokenData) {
+    return tokenData.expirationDate <= new Date();
+}
+export function generateRandomState() {
+    const array = new Uint8Array(32);
+    crypto.getRandomValues(array);
+    return Array.from(array, (byte) => byte.toString(16).padStart(2, '0')).join('');
+}

package/dist/types.d.ts

@@ -0,0 +1,68 @@
+import { type Chain, type Transport } from 'viem';
+import { type OauthScope } from './popup-auth.js';
+export interface Storage {
+    getItem(key: string): string | null;
+    setItem(key: string, value: string): void;
+    removeItem(key: string): void;
+}
+export interface PrividiumConfig {
+    clientId: string;
+    chain: Omit<Chain, 'rpcUrls'>;
+    rpcUrl: string;
+    authBaseUrl: string;
+    redirectUrl: string;
+    permissionsApiBaseUrl: string;
+    scope?: OauthScope[];
+    storage?: Storage;
+    onAuthExpiry?: () => void;
+}
+export interface UserRole {
+    roleName: string;
+}
+export interface UserProfile {
+    userId: string;
+    createdAt: Date;
+    displayName: string | null;
+    updatedAt: Date;
+    roles: UserRole[];
+    walletAddresses: string[];
+}
+export interface PrividiumChain {
+    chain: Chain;
+    transport: Transport;
+    authorize(opts?: {
+        popupSize?: {
+            w: number;
+            h: number;
+        };
+    }): Promise<string>;
+    unauthorize(): void;
+    isAuthorized(): boolean;
+    getAuthHeaders(): Record<string, string> | null;
+    fetchUser(): Promise<UserProfile>;
+}
+export interface TokenData {
+    rawToken: string;
+    expirationDate: Date;
+    sub: string;
+    preferred_username?: string;
+}
+export interface PopupOptions {
+    popupSize?: {
+        w: number;
+        h: number;
+    };
+}
+export declare const AUTH_ERRORS: {
+    readonly INVALID_STATE: "Invalid state parameter";
+    readonly NO_RECEIVED_STATE: "No state parameter";
+    readonly NO_SAVED_STATE: "No saved state";
+    readonly NO_TOKEN: "No token received";
+    readonly EXPIRED_TOKEN: "Expired token";
+    readonly INVALID_JWT: "Invalid JWT format";
+    readonly AUTH_REQUIRED: "Authentication required";
+};
+export declare const STORAGE_KEYS: {
+    readonly STATE_PREFIX: "prividium_auth_state_";
+    readonly TOKEN_PREFIX: "prividium_jwt_";
+};

package/dist/types.js

@@ -0,0 +1,13 @@
+export const AUTH_ERRORS = {
+    INVALID_STATE: 'Invalid state parameter',
+    NO_RECEIVED_STATE: 'No state parameter',
+    NO_SAVED_STATE: 'No saved state',
+    NO_TOKEN: 'No token received',
+    EXPIRED_TOKEN: 'Expired token',
+    INVALID_JWT: 'Invalid JWT format',
+    AUTH_REQUIRED: 'Authentication required'
+};
+export const STORAGE_KEYS = {
+    STATE_PREFIX: 'prividium_auth_state_',
+    TOKEN_PREFIX: 'prividium_jwt_'
+};

package/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "prividium",
+  "version": "0.0.1-beta",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "lint": "eslint . --ignore-path ../../.gitignore --max-warnings 0",
+    "lint:fix": "eslint . --fix --ignore-path ../../.gitignore",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "typecheck": "tsc --noEmit",
+    "typecheck:test": "tsc --project tsconfig.test.json --noEmit"
+  },
+  "dependencies": {
+    "zod": "^3.23.8"
+  },
+  "peerDependencies": {
+    "viem": ">=2.0.0"
+  },
+  "devDependencies": {
+    "@repo/eslint-config": "workspace:*",
+    "@types/node": "^22.8.6",
+    "eslint": "^8",
+    "jsdom": "^25.0.0",
+    "typescript": "^5.8.3",
+    "vitest": "^3.2.4"
+  }
+}