supaapps-auth 2.0.0 → 3.0.0

package/dist/index.d.ts

@@ -1,2 +1,88 @@
-export * from './types';
-export { AuthManager } from './AuthManager';
+declare enum AuthEventType {
+    INITALIZED_IN = "initialized-logged-in",
+    INITALIZED_OUT = "initialized-logged-out",
+    USER_LOGGED_IN = "user-logged-in",
+    USER_LOGGED_OUT = "user-logged-out",
+    USER_UPDATED = "user-updated",
+    FAILED_MUST_LOGIN_CHECK = "failed-must-login",
+    REFRESH_FAILED = "refresh-failed"
+}
+interface UserTokenPayload {
+    id: number;
+    iss: string;
+    sub: number | string;
+    first_name: string;
+    last_name: string;
+    email: string;
+    aud: string;
+    iat: number;
+    exp: number;
+    scopes: string;
+    realm: string;
+    provider: Platforms;
+}
+interface AuthManagerEvent {
+    type: AuthEventType;
+    user?: UserTokenPayload;
+}
+interface PlatformCheckResponse {
+    platforms: Platforms[];
+}
+declare enum Platforms {
+    PASSWORD = "password",
+    GOOGLE = "google",
+    FACEBOOK = "facebook",
+    TWITTER = "twitter",
+    GITHUB = "github",
+    APPLE = "apple",
+    LINKEDIN = "linkedin",
+    MICROSOFT = "microsoft"
+}
+
+declare class AuthManager {
+    private static instance;
+    private authServer;
+    private realmName;
+    private redirectUri;
+    private onStateChange;
+    private constructor();
+    static initialize(authServer: string, realmName: string, redirectUri: string, onStateChange: (event: AuthManagerEvent) => void): AuthManager;
+    static getInstance(): AuthManager;
+    private tokenToPayload;
+    private generatePKCEPair;
+    refreshAccessToken(isInitialization?: boolean): Promise<string>;
+    checkAccessToken(isInitilization?: boolean): Promise<string | null>;
+    private isTokenExpired;
+    mustBeLoggedIn(): Promise<void>;
+    getLoginWithGoogleUri(): string;
+    isLoggedIn(): Promise<boolean>;
+    getAccessToken(mustBeLoggedIn?: boolean): Promise<string | null>;
+    platformCheck(email: string): Promise<PlatformCheckResponse>;
+    verifyEmail(email: string, token: string): Promise<boolean>;
+    doPassReset(email: string, token: string, newPassword: string): Promise<boolean>;
+    changeEmail(email: string): Promise<boolean>;
+    initPasswordReset(email: string): Promise<boolean>;
+    /**
+     * Updates user account fields. Only sends fields present in the update object.
+     * For password, expects: { old: string, new: string }
+     */
+    updateAccount(update: {
+        firstName?: string;
+        lastName?: string;
+        email?: string;
+        password?: {
+            old: string;
+            new: string;
+        };
+    }): Promise<boolean>;
+    changePassword(oldPassword: string, newPassword: string, email: string): Promise<boolean>;
+    registerUsingEmail(firstName: string, lastName: string, email: string, password: string): Promise<void>;
+    private saveTokens;
+    loginUsingEmail(email: string, password: string): Promise<void>;
+    loginUsingPkce(code: string): Promise<void>;
+    logout(): Promise<void>;
+    static validateToken(authServer: string, bearerToken: string): Promise<UserTokenPayload>;
+    static resetInstance(): void;
+}
+
+export { AuthEventType, AuthManager, type AuthManagerEvent, type PlatformCheckResponse, Platforms, type UserTokenPayload };

package/dist/index.js

@@ -1,20 +1,476 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+// src/types.ts
+var AuthEventType = /* @__PURE__ */ ((AuthEventType2) => {
+  AuthEventType2["INITALIZED_IN"] = "initialized-logged-in";
+  AuthEventType2["INITALIZED_OUT"] = "initialized-logged-out";
+  AuthEventType2["USER_LOGGED_IN"] = "user-logged-in";
+  AuthEventType2["USER_LOGGED_OUT"] = "user-logged-out";
+  AuthEventType2["USER_UPDATED"] = "user-updated";
+  AuthEventType2["FAILED_MUST_LOGIN_CHECK"] = "failed-must-login";
+  AuthEventType2["REFRESH_FAILED"] = "refresh-failed";
+  return AuthEventType2;
+})(AuthEventType || {});
+var Platforms = /* @__PURE__ */ ((Platforms2) => {
+  Platforms2["PASSWORD"] = "password";
+  Platforms2["GOOGLE"] = "google";
+  Platforms2["FACEBOOK"] = "facebook";
+  Platforms2["TWITTER"] = "twitter";
+  Platforms2["GITHUB"] = "github";
+  Platforms2["APPLE"] = "apple";
+  Platforms2["LINKEDIN"] = "linkedin";
+  Platforms2["MICROSOFT"] = "microsoft";
+  return Platforms2;
+})(Platforms || {});
+
+// src/AuthManager.ts
+import axios from "axios";
+import {
+  jwtVerify
+} from "jose";
+import { jwtDecode } from "jwt-decode";
+
+// src/utils/pkce.ts
+import { sha256 } from "js-sha256";
+var nodeCrypto;
+if (typeof window === "undefined") {
+  nodeCrypto = await import("crypto");
+}
+function toBase64Url(bytes) {
+  let base64;
+  if (typeof Buffer !== "undefined" && Buffer.isBuffer(bytes)) {
+    base64 = bytes.toString("base64");
+  } else {
+    let binary = "";
+    const chunkSize = 32768;
+    for (let i = 0; i < bytes.length; i += chunkSize) {
+      const chunk = bytes.subarray(i, i + chunkSize);
+      binary += String.fromCharCode(...chunk);
+    }
+    base64 = btoa(binary);
+  }
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function generateCodeVerifier(length = 32) {
+  let bytes;
+  if (typeof window === "undefined") {
+    bytes = nodeCrypto.randomBytes(length);
+  } else {
+    bytes = new Uint8Array(length);
+    window.crypto.getRandomValues(bytes);
+  }
+  return toBase64Url(bytes);
+}
+function generateCodeChallenge(verifier) {
+  const hashBytes = new Uint8Array(sha256.array(verifier));
+  return toBase64Url(hashBytes);
+}
+
+// src/AuthManager.ts
+var AuthManager = class _AuthManager {
+  static instance = null;
+  authServer;
+  realmName;
+  redirectUri;
+  onStateChange;
+  constructor(authServer, realmName, redirectUri, onStateChange) {
+    this.authServer = authServer;
+    this.realmName = realmName;
+    this.redirectUri = redirectUri;
+    this.onStateChange = onStateChange;
+    _AuthManager.instance = this;
+  }
+  static initialize(authServer, realmName, redirectUri, onStateChange) {
+    if (!_AuthManager.instance) {
+      _AuthManager.instance = new _AuthManager(
+        authServer,
+        realmName,
+        redirectUri,
+        onStateChange
+      );
+      _AuthManager.instance.checkAccessToken(true).then((token) => {
+        onStateChange({
+          type: "initialized-logged-in" /* INITALIZED_IN */,
+          user: _AuthManager.instance?.tokenToPayload(token)
+        });
+      }).catch(() => {
+        onStateChange({ type: "initialized-logged-out" /* INITALIZED_OUT */ });
+      });
+    }
+    return _AuthManager.instance;
+  }
+  static getInstance() {
+    if (!_AuthManager.instance) {
+      throw new Error("AuthManager not initialized");
+    }
+    return _AuthManager.instance;
+  }
+  tokenToPayload(token) {
+    return JSON.parse(atob(token.split(".")[1]));
+  }
+  generatePKCEPair() {
+    const verifier = localStorage.getItem("codeVerifier") ?? generateCodeVerifier();
+    const challenge = localStorage.getItem("codeChallenge") ?? generateCodeChallenge(verifier);
+    localStorage.setItem("codeVerifier", verifier);
+    localStorage.setItem("codeChallenge", challenge);
+    return { verifier, challenge };
+  }
+  async refreshAccessToken(isInitialization = false) {
+    try {
+      const refreshToken = localStorage.getItem("refresh_token");
+      if (!refreshToken) {
+        throw new Error("No refresh token found");
+      }
+      const response = await axios.post(
+        `${this.authServer}auth/refresh`,
+        {
+          refresh_token: refreshToken
+        }
+      );
+      this.saveTokens(response, true);
+      return response.data.access_token;
+    } catch (error) {
+      console.error(`Refresh token error, logging out: ${error}`);
+      localStorage.removeItem("access_token");
+      localStorage.removeItem("refresh_token");
+      if (!isInitialization) {
+        this.onStateChange({ type: "refresh-failed" /* REFRESH_FAILED */ });
+      }
+      throw error;
+    }
+  }
+  async checkAccessToken(isInitilization = false) {
+    const accessToken = localStorage.getItem("access_token");
+    if (accessToken && this.isTokenExpired(accessToken)) {
+      return this.refreshAccessToken(isInitilization);
+    }
+    return accessToken;
+  }
+  isTokenExpired(token) {
+    const decoded = this.tokenToPayload(token);
+    return decoded.exp < Date.now() / 1e3;
+  }
+  async mustBeLoggedIn() {
+    if (!await this.isLoggedIn()) {
+      this.onStateChange({
+        type: "failed-must-login" /* FAILED_MUST_LOGIN_CHECK */
+      });
+    }
+  }
+  getLoginWithGoogleUri() {
+    const { challenge } = this.generatePKCEPair();
+    return `${this.authServer}auth/login_with_google?realm_name=${this.realmName}&redirect_uri=${encodeURIComponent(this.redirectUri)}&code_challenge=${challenge}&code_challenge_method=S256`;
+  }
+  async isLoggedIn() {
+    const accessToken = localStorage.getItem("access_token");
+    const refreshToken = localStorage.getItem("refresh_token");
+    if (!accessToken || !refreshToken) {
+      return false;
+    }
+    if (this.isTokenExpired(accessToken)) {
+      try {
+        await this.refreshAccessToken();
+        return true;
+      } catch {
+        return false;
+      }
+    }
+    return true;
+  }
+  async getAccessToken(mustBeLoggedIn = false) {
+    try {
+      return await this.checkAccessToken();
+    } catch (error) {
+      if (mustBeLoggedIn) {
+        this.onStateChange({
+          type: "failed-must-login" /* FAILED_MUST_LOGIN_CHECK */
+        });
+      }
+      return "";
+    }
+  }
+  async platformCheck(email) {
+    const response = await axios.post(
+      `${this.authServer}auth/email/platform_check`,
+      {
+        realm_name: this.realmName,
+        email
+      }
+    );
+    if (response.data.error || response.data.errors) {
+      throw new Error(response.data.error || response.data.message);
+    }
+    return response.status === 200 ? response.data : { platforms: [] };
+  }
+  async verifyEmail(email, token) {
+    const response = await axios.post(
+      `${this.authServer}auth/email/verify`,
+      {
+        realm_name: this.realmName,
+        email,
+        token
+      }
+    );
+    if (response.data.error || response.data.errors) {
+      throw new Error(response.data.error || response.data.message);
+    }
+    return response.status === 200;
+  }
+  async doPassReset(email, token, newPassword) {
+    const response = await axios.post(
+      `${this.authServer}auth/email/do_pass_reset`,
+      {
+        realm_name: this.realmName,
+        email,
+        token,
+        new_password: newPassword
+      }
+    );
+    if (response.data.error || response.data.errors) {
+      throw new Error(response.data.error || response.data.message);
+    }
+    return response.status === 200;
+  }
+  async changeEmail(email) {
+    const accessToken = localStorage.getItem("access_token");
+    if (!accessToken) {
+      throw new Error("Access token not found");
+    }
+    const response = await axios.post(
+      `${this.authServer}auth/email/change_email`,
+      {
+        realm_name: this.realmName,
+        email
+      },
+      {
+        headers: { Authorization: `Bearer ${accessToken}` }
+      }
+    );
+    if (response.data.error || response.data.errors) {
+      throw new Error(response.data.error || response.data.message);
+    }
+    return response.status === 200;
+  }
+  async initPasswordReset(email) {
+    const response = await axios.post(
+      `${this.authServer}auth/email/init_pass_reset`,
+      {
+        realm_name: this.realmName,
+        email
+      }
+    );
+    if (response.data.error || response.data.errors) {
+      throw new Error(response.data.error || response.data.message);
+    }
+    return response.status === 200 || response.status === 201;
+  }
+  /**
+   * Updates user account fields. Only sends fields present in the update object.
+   * For password, expects: { old: string, new: string }
+   */
+  async updateAccount(update) {
+    const accessToken = localStorage.getItem("access_token");
+    if (!accessToken) {
+      throw new Error("Access token not found");
+    }
+    if (update.firstName || update.lastName) {
+      const response = await axios.post(
+        `${this.authServer}auth/email/update_profile`,
+        {
+          realm_name: this.realmName,
+          ...update.firstName && { first_name: update.firstName },
+          ...update.lastName && { last_name: update.lastName }
+        },
+        {
+          headers: { Authorization: `Bearer ${accessToken}` }
+        }
+      );
+      if (response.data.error || response.data.errors) {
+        throw new Error(response.data.error || response.data.message);
+      }
+    }
+    if (update.email) {
+      const response = await axios.post(
+        `${this.authServer}auth/email/change_email`,
+        {
+          realm_name: this.realmName,
+          email: update.email
+        },
+        {
+          headers: { Authorization: `Bearer ${accessToken}` }
+        }
+      );
+      if (response.data.error || response.data.errors) {
+        throw new Error(response.data.error || response.data.message);
+      }
+    }
+    if (update.password && update.email) {
+      const response = await axios.post(
+        `${this.authServer}auth/email/change_pass`,
+        {
+          realm_name: this.realmName,
+          email: update.email,
+          old_password: update.password.old,
+          new_password: update.password.new
+        },
+        {
+          headers: { Authorization: `Bearer ${accessToken}` }
+        }
+      );
+      if (response.data.error || response.data.errors) {
+        throw new Error(response.data.error || response.data.message);
+      }
+    } else if (update.password && !update.email) {
+      throw new Error("Email is required to change password");
+    }
+    return true;
+  }
+  async changePassword(oldPassword, newPassword, email) {
+    const accessToken = localStorage.getItem("access_token");
+    if (!accessToken) {
+      throw new Error("Access token not found");
+    }
+    const response = await axios.post(
+      `${this.authServer}auth/email/change_pass`,
+      {
+        realm_name: this.realmName,
+        email,
+        old_password: oldPassword,
+        new_password: newPassword
+      },
+      {
+        headers: { Authorization: `Bearer ${accessToken}` }
+      }
+    );
+    if (response.data.error || response.data.errors) {
+      throw new Error(response.data.error || response.data.message);
+    }
+    return response.status === 200;
+  }
+  async registerUsingEmail(firstName, lastName, email, password) {
+    const response = await axios.post(
+      `${this.authServer}auth/email/register`,
+      {
+        realm_name: this.realmName,
+        first_name: firstName,
+        last_name: lastName,
+        email,
+        password
+      }
+    );
+    if (response.data.message || response.data.error) {
+      throw new Error(response.data.message || response.data.error);
+    }
+    if (!response.data.access_token) {
+      throw new Error("Something went wrong");
+    }
+    this.saveTokens(response, false);
+  }
+  saveTokens(response, byRefresh) {
+    localStorage.setItem("access_token", response.data.access_token);
+    localStorage.setItem(
+      "refresh_token",
+      response.data.refresh_token
+    );
+    this.onStateChange({
+      type: byRefresh ? "user-updated" /* USER_UPDATED */ : "user-logged-in" /* USER_LOGGED_IN */,
+      user: this.tokenToPayload(response.data.access_token)
+    });
+    const user = this.tokenToPayload(response.data.access_token);
+    localStorage.setItem("user", JSON.stringify(user));
+  }
+  async loginUsingEmail(email, password) {
+    const response = await axios.post(
+      `${this.authServer}auth/email/login`,
+      {
+        realm_name: this.realmName,
+        email,
+        password
+      }
+    );
+    if (response.data.message || response.data.error) {
+      throw new Error(response.data.message || response.data.error);
+    }
+    this.saveTokens(response, false);
+  }
+  async loginUsingPkce(code) {
+    try {
+      const codeVerifier = localStorage.getItem("codeVerifier");
+      if (!codeVerifier) {
+        throw new Error("Code verifier not found");
+      }
+      const response = await axios.post(
+        `${this.authServer}auth/pkce_exchange`,
+        {
+          realm_name: this.realmName,
+          code,
+          redirect_uri: this.redirectUri,
+          code_verifier: codeVerifier
+        }
+      );
+      this.saveTokens(response, false);
+    } finally {
+      localStorage.removeItem("codeVerifier");
+      localStorage.removeItem("codeChallenge");
+    }
+  }
+  async logout() {
+    try {
+      const accessToken = localStorage.getItem("access_token");
+      if (!accessToken) {
+        throw new Error("Access token not found");
+      }
+      await axios.post(
+        `${this.authServer}auth/logout`,
+        {},
+        {
+          headers: { Authorization: `Bearer ${accessToken}` }
+        }
+      );
+    } finally {
+      localStorage.removeItem("access_token");
+      localStorage.removeItem("refresh_token");
+      this.onStateChange({ type: "user-logged-out" /* USER_LOGGED_OUT */ });
+    }
+  }
+  static async validateToken(authServer, bearerToken) {
+    const decodedToken = jwtDecode(bearerToken);
+    if (!decodedToken) {
+      throw new Error("Not a valid jwt token");
+    }
+    const userToken = {
+      id: decodedToken.id,
+      iss: decodedToken.iss,
+      sub: typeof decodedToken.sub === "string" ? parseInt(decodedToken.sub) : decodedToken.sub,
+      first_name: decodedToken.first_name,
+      last_name: decodedToken.last_name,
+      email: decodedToken.email,
+      aud: decodedToken.aud,
+      iat: decodedToken.iat,
+      exp: decodedToken.exp,
+      scopes: decodedToken.scopes,
+      realm: decodedToken.realm,
+      provider: decodedToken.provider
+    };
+    const { data: publicKey } = await axios.get(
+      `${authServer}public/public_key`
+    );
+    const { data: algo } = await axios.get(
+      `${authServer}public/algo`
+    );
+    jwtVerify(bearerToken, publicKey, { algorithms: [algo] });
+    const { data: revokedIds } = await axios.get(
+      `${authServer}public/revoked_ids`
+    );
+    if (revokedIds.includes(decodedToken.id)) {
+      throw new Error("Token is revoked");
+    }
+    return userToken;
+  }
+  static resetInstance() {
+    _AuthManager.instance = null;
+  }
+};
+export {
+  AuthEventType,
+  AuthManager,
+  Platforms
 };
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthManager = void 0;
-__exportStar(require("./types"), exports);
-var AuthManager_1 = require("./AuthManager");
-Object.defineProperty(exports, "AuthManager", { enumerable: true, get: function () { return AuthManager_1.AuthManager; } });

package/package.json

@@ -1,27 +1,35 @@
 {
   "name": "supaapps-auth",
-  "version": "2.0.0",
+  "version": "3.0.0",
   "description": "",
-  "main": "dist/index.js",
+  "type": "module",
+  "module": "dist/index.js",
   "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js"
+    }
+  },
   "scripts": {
-    "test": "jest",
-    "build": "tsc",
+    "test": "vitest",
+    "build": "tsup src/index.ts --format esm --dts --clean",
+    "watch": "tsup src/index.ts --format esm --dts --watch",
     "lint": "eslint src/ --ext .ts,.tsx"
   },
+  "files": [
+    "dist"
+  ],
   "author": "",
   "license": "MIT",
   "dependencies": {
     "axios": "^1.6.7",
-    "crypto": "^1.0.1",
-    "jsonwebtoken": "^9.0.2"
+    "jose": "^6.1.0",
+    "js-sha256": "^0.11.1",
+    "jwt-decode": "^4.0.0"
   },
   "devDependencies": {
     "@next/eslint-plugin-next": "^13.5.6",
     "@types/axios": "^0.14.0",
-    "@types/jest": "^29.5.12",
-    "@types/jsonwebtoken": "^9.0.6",
-    "@types/node": "^20.12.12",
     "@typescript-eslint/eslint-plugin": "^6.21.0",
     "@typescript-eslint/parser": "^6.21.0",
     "axios-mock-adapter": "^1.22.0",
@@ -32,11 +40,9 @@
     "eslint-config-prettier": "^9.1.0",
     "eslint-config-supaapps": "^1.1.0",
     "eslint-plugin-import": "^2.29.1",
-    "jest": "^29.7.0",
-    "jest-localstorage-mock": "^2.4.26",
-    "jest-mock-axios": "^4.7.3",
-    "ts-jest": "^29.1.2",
-    "typescript": "^5.3.3",
-    "undefined": "^0.1.0"
+    "jsdom": "^27.2.0",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.10"
   }
 }

package/.eslintrc

@@ -1,3 +0,0 @@
-{
-    "extends": "supaapps"
-}

package/.github/workflows/ci.yml

@@ -1,32 +0,0 @@
-name: Node.js CI
-
-on: [push, pull_request]
-
-
-jobs:
-  build:
-
-    runs-on: ubuntu-latest
-
-    strategy:
-      matrix:
-        node-version: [18.x, 20.x]
-        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
-
-    steps:
-    - uses: actions/checkout@v3
-    - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v3
-      with:
-        node-version: ${{ matrix.node-version }}
-        cache: 'npm'
-    - run: npm ci
-    - run: npm run lint
-    - run: npm run build --if-present
-    - run: npm run test
-
-    - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@v4.0.1
-      with:
-        token: ${{ secrets.CODECOV_TOKEN }}
-        slug: supaapps/supaapps-auth