tenneo-auth-gateway-plugin 1.0.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +422 -0
- package/dist/index.d.mts +626 -0
- package/dist/index.d.ts +626 -0
- package/dist/index.js +3585 -0
- package/dist/index.js.map +1 -0
- package/dist/index.mjs +3520 -0
- package/dist/index.mjs.map +1 -0
- package/package.json +53 -0
package/dist/index.d.mts
ADDED
|
@@ -0,0 +1,626 @@
|
|
|
1
|
+
import React from 'react';
|
|
2
|
+
|
|
3
|
+
/**
|
|
4
|
+
* Public bootstrap API. Delegates to default engine.init() when set; otherwise runs runBootstrap().
|
|
5
|
+
*/
|
|
6
|
+
declare function bootstrap(): Promise<void>;
|
|
7
|
+
|
|
8
|
+
/**
|
|
9
|
+
* Logout: idempotent, host-driven config, no fragile host_config snapshot/restore.
|
|
10
|
+
*
|
|
11
|
+
* - Watchers suspended during teardown to avoid bootstrap races
|
|
12
|
+
* - Server logout: POST only (no unsafe GET fallback)
|
|
13
|
+
* - Local state always cleared even if server fails
|
|
14
|
+
* - Storage cache refreshed from current runtime config (memory/host), never a stale snapshot
|
|
15
|
+
*/
|
|
16
|
+
interface LogoutResponse {
|
|
17
|
+
success?: boolean;
|
|
18
|
+
message?: string;
|
|
19
|
+
logout?: boolean;
|
|
20
|
+
}
|
|
21
|
+
type LogoutResult = {
|
|
22
|
+
success: boolean;
|
|
23
|
+
message: string;
|
|
24
|
+
serverResponse?: LogoutResponse;
|
|
25
|
+
};
|
|
26
|
+
/**
|
|
27
|
+
* Idempotent logout: coalesces concurrent calls in the same JS realm; cross-tab deduped via short lock.
|
|
28
|
+
*/
|
|
29
|
+
declare function logout(tenantKey?: string): Promise<LogoutResult>;
|
|
30
|
+
|
|
31
|
+
/**
|
|
32
|
+
* Domain types for the authentication gateway plugin.
|
|
33
|
+
* Pure types; no I/O.
|
|
34
|
+
*/
|
|
35
|
+
interface TenantConfig {
|
|
36
|
+
tenantId: string;
|
|
37
|
+
authServer: string;
|
|
38
|
+
tenantKey?: string;
|
|
39
|
+
client: {
|
|
40
|
+
clientId: string;
|
|
41
|
+
clientCode?: string;
|
|
42
|
+
redirectUri: string;
|
|
43
|
+
scopes: string;
|
|
44
|
+
};
|
|
45
|
+
}
|
|
46
|
+
interface TokenResponse {
|
|
47
|
+
access_token: string;
|
|
48
|
+
refresh_token: string;
|
|
49
|
+
expires_in: number;
|
|
50
|
+
token_type?: string;
|
|
51
|
+
}
|
|
52
|
+
interface AuthState {
|
|
53
|
+
isAuthenticated: boolean;
|
|
54
|
+
accessToken: string | null;
|
|
55
|
+
isLoading: boolean;
|
|
56
|
+
error: string | null;
|
|
57
|
+
}
|
|
58
|
+
interface AuthContextValue extends AuthState {
|
|
59
|
+
login: () => Promise<void>;
|
|
60
|
+
logout: () => Promise<void>;
|
|
61
|
+
refreshToken: () => Promise<string>;
|
|
62
|
+
getAccessToken: () => Promise<string>;
|
|
63
|
+
setTokens: (accessToken: string) => void;
|
|
64
|
+
}
|
|
65
|
+
interface EnvConfig {
|
|
66
|
+
authServerUrl: string;
|
|
67
|
+
clientId: string;
|
|
68
|
+
redirectUri: string;
|
|
69
|
+
tenantId: string;
|
|
70
|
+
}
|
|
71
|
+
|
|
72
|
+
/**
|
|
73
|
+
* OAuth2 PKCE token exchange and refresh.
|
|
74
|
+
* Strategy-owned implementation; uses API_AUTH_BASE_URL only.
|
|
75
|
+
*/
|
|
76
|
+
|
|
77
|
+
declare function refreshAccessToken(): Promise<string>;
|
|
78
|
+
|
|
79
|
+
/**
|
|
80
|
+
* Token API: facades for public API.
|
|
81
|
+
* ensureValidAccessToken delegates to default engine when set; otherwise uses strategy refresh.
|
|
82
|
+
*/
|
|
83
|
+
|
|
84
|
+
declare function ensureValidAccessToken(): Promise<string>;
|
|
85
|
+
declare function getAccessToken$1(): string | null;
|
|
86
|
+
|
|
87
|
+
/**
|
|
88
|
+
* Storage adapter types for enterprise-grade token and key-value storage.
|
|
89
|
+
* SSR-safe: no direct window/document usage in interface.
|
|
90
|
+
*/
|
|
91
|
+
/**
|
|
92
|
+
* Shape of tokens stored by the adapter (used for getTokens/setTokens).
|
|
93
|
+
*/
|
|
94
|
+
interface AuthTokens {
|
|
95
|
+
accessToken: string;
|
|
96
|
+
refreshToken: string;
|
|
97
|
+
expiresAt: number;
|
|
98
|
+
}
|
|
99
|
+
/**
|
|
100
|
+
* Token-only storage contract (spec).
|
|
101
|
+
* Implementations must be SSR-safe: avoid window/document in method bodies
|
|
102
|
+
* or guard with typeof window !== 'undefined'.
|
|
103
|
+
*/
|
|
104
|
+
interface TokenStorageAdapter {
|
|
105
|
+
getTokens(): Promise<AuthTokens | null>;
|
|
106
|
+
setTokens(tokens: AuthTokens): Promise<void>;
|
|
107
|
+
clearTokens(): Promise<void>;
|
|
108
|
+
}
|
|
109
|
+
/**
|
|
110
|
+
* Optional key-value contract for config/flow flags.
|
|
111
|
+
* When implemented, allows replacing all sessionStorage/localStorage usage
|
|
112
|
+
* with a single injected adapter. Namespacing is applied by the adapter.
|
|
113
|
+
*/
|
|
114
|
+
interface KeyValueStorageAdapter {
|
|
115
|
+
getItem(key: string): Promise<string | null>;
|
|
116
|
+
setItem(key: string, value: string): Promise<void>;
|
|
117
|
+
removeItem(key: string): Promise<void>;
|
|
118
|
+
clear(): Promise<void>;
|
|
119
|
+
}
|
|
120
|
+
/**
|
|
121
|
+
* Optional synchronous access for backward compatibility with existing sync APIs.
|
|
122
|
+
* When implemented, storage layer uses these so callers remain sync.
|
|
123
|
+
*/
|
|
124
|
+
interface SyncStorageAdapter {
|
|
125
|
+
getTokensSync?(): AuthTokens | null;
|
|
126
|
+
setTokensSync?(tokens: AuthTokens): void;
|
|
127
|
+
clearTokensSync?(): void;
|
|
128
|
+
getItemSync?(key: string): string | null;
|
|
129
|
+
setItemSync?(key: string, value: string): void;
|
|
130
|
+
removeItemSync?(key: string): void;
|
|
131
|
+
clearSync?(): void;
|
|
132
|
+
}
|
|
133
|
+
/**
|
|
134
|
+
* Full storage adapter: tokens + key-value.
|
|
135
|
+
* Default adapters implement this and SyncStorageAdapter for sync compatibility.
|
|
136
|
+
*/
|
|
137
|
+
type StorageAdapter = TokenStorageAdapter & KeyValueStorageAdapter & Partial<SyncStorageAdapter>;
|
|
138
|
+
/**
|
|
139
|
+
* Namespace for storage keys: auth_${tenantId}_${appId}_*
|
|
140
|
+
* Used to isolate data per tenant and app (microfrontend support).
|
|
141
|
+
*/
|
|
142
|
+
interface StorageNamespace {
|
|
143
|
+
tenantId: string;
|
|
144
|
+
appId: string;
|
|
145
|
+
}
|
|
146
|
+
|
|
147
|
+
/**
|
|
148
|
+
* Storage key namespacing: auth_${tenantId}_${appId}_*
|
|
149
|
+
* Backward compatibility: when both tenantId and appId are empty, use dynamic prefix (from tenant code).
|
|
150
|
+
*/
|
|
151
|
+
|
|
152
|
+
/**
|
|
153
|
+
* Builds a namespaced storage key.
|
|
154
|
+
* - When tenantId and appId are both falsy: returns getStorageKeyPrefix() + suffix (tenant-code-based or default).
|
|
155
|
+
* - Otherwise: returns auth_${tenantId}_${appId}_${suffix}.
|
|
156
|
+
*/
|
|
157
|
+
declare function buildStorageKey(ns: StorageNamespace, suffix: string): string;
|
|
158
|
+
|
|
159
|
+
/**
|
|
160
|
+
* Storage context: current adapter and namespace.
|
|
161
|
+
* Can be set via setStorageContext (legacy) or setAuthRuntime (full runtime).
|
|
162
|
+
* No window/document usage.
|
|
163
|
+
*/
|
|
164
|
+
|
|
165
|
+
declare function setStorageContext(adapter: StorageAdapter | null, namespace?: Partial<StorageNamespace>): void;
|
|
166
|
+
declare function getStorageAdapter(): StorageAdapter | null;
|
|
167
|
+
declare function getStorageNamespace(): StorageNamespace;
|
|
168
|
+
|
|
169
|
+
/**
|
|
170
|
+
* In-memory storage adapter. SSR-safe; no window/document usage.
|
|
171
|
+
* Default for server-side or when no persistent storage is desired.
|
|
172
|
+
*/
|
|
173
|
+
|
|
174
|
+
declare function createMemoryStorageAdapter(namespace: StorageNamespace): StorageAdapter;
|
|
175
|
+
|
|
176
|
+
/**
|
|
177
|
+
* Session storage adapter with namespaced keys. SSR-safe: guards all
|
|
178
|
+
* window/sessionStorage access with typeof window !== 'undefined'.
|
|
179
|
+
*/
|
|
180
|
+
|
|
181
|
+
declare function createSecureSessionStorageAdapter(namespace: StorageNamespace): StorageAdapter;
|
|
182
|
+
|
|
183
|
+
/**
|
|
184
|
+
* Cookie-based storage adapter (HttpOnly-compatible abstraction).
|
|
185
|
+
* Tokens are stored in cookies; config/flow flags use cookies or fallback.
|
|
186
|
+
* SSR-safe: all document/window access guarded with typeof window !== 'undefined'.
|
|
187
|
+
*
|
|
188
|
+
* Note: True HttpOnly cookies must be set by the server. This adapter uses
|
|
189
|
+
* document.cookie for client-readable tokens when running in the browser,
|
|
190
|
+
* and can be replaced by a server-backed implementation for HttpOnly.
|
|
191
|
+
*/
|
|
192
|
+
|
|
193
|
+
declare function createCookieStorageAdapter(namespace: StorageNamespace, options?: {
|
|
194
|
+
cookiePrefix?: string;
|
|
195
|
+
}): StorageAdapter;
|
|
196
|
+
|
|
197
|
+
/**
|
|
198
|
+
* Storage API: adapter-based get/set/clear. No direct window/sessionStorage.
|
|
199
|
+
* Keys use dynamic prefix from tenant code (see prefix.ts).
|
|
200
|
+
*/
|
|
201
|
+
|
|
202
|
+
declare function getAccessToken(): string | null;
|
|
203
|
+
declare function isAccessTokenExpired(): boolean;
|
|
204
|
+
|
|
205
|
+
declare function useAuthContext(): AuthContextValue;
|
|
206
|
+
|
|
207
|
+
/**
|
|
208
|
+
* Configuration types.
|
|
209
|
+
*
|
|
210
|
+
* There is no "internal vs runtime" config anymore.
|
|
211
|
+
* Everything is provided by the host app via `AuthProvider` props / `setConfig()`.
|
|
212
|
+
*/
|
|
213
|
+
interface SDKConfig {
|
|
214
|
+
/** Tenant resolution service base URL. */
|
|
215
|
+
apiBaseUrl?: string;
|
|
216
|
+
/** Auth API base URL (token exchange/refresh/logout). */
|
|
217
|
+
apiAuthBaseUrl?: string;
|
|
218
|
+
/** Authorization server base URL (OIDC authorize endpoint). */
|
|
219
|
+
authServerUrl?: string;
|
|
220
|
+
/** Callback/redirect URL (full URL). */
|
|
221
|
+
callbackUrl?: string;
|
|
222
|
+
/** Alias some hosts use for OAuth redirect URI (same as callbackUrl). */
|
|
223
|
+
redirectUri?: string;
|
|
224
|
+
/** Optional tenant code/key (used for tenant resolution). */
|
|
225
|
+
tenantCode?: string;
|
|
226
|
+
tenantKey?: string;
|
|
227
|
+
/** Optional app identifier (storage namespacing). */
|
|
228
|
+
appId?: string;
|
|
229
|
+
/** Optional runtime identifiers (may be returned from tenant API). */
|
|
230
|
+
clientId?: string;
|
|
231
|
+
tenantId?: string;
|
|
232
|
+
clientCode?: string;
|
|
233
|
+
/** Optional UI/runtime overrides. */
|
|
234
|
+
basePath?: string;
|
|
235
|
+
}
|
|
236
|
+
type HostConfigOverride = SDKConfig;
|
|
237
|
+
interface ResolvedConfig {
|
|
238
|
+
apiBaseUrl: string;
|
|
239
|
+
authServerUrl: string;
|
|
240
|
+
callbackUrl: string;
|
|
241
|
+
clientCode: string;
|
|
242
|
+
tenantCode: string;
|
|
243
|
+
appId: string;
|
|
244
|
+
/** OAuth client id (may match clientCode / public client). */
|
|
245
|
+
clientId: string;
|
|
246
|
+
/** Tenant id from tenant resolution API when available. */
|
|
247
|
+
tenantId: string;
|
|
248
|
+
}
|
|
249
|
+
|
|
250
|
+
/**
|
|
251
|
+
* Host-aware config resolution: memory → host bridge (window / provider) → storage cache (fallback).
|
|
252
|
+
* Does not import application/storage barrel to avoid circular deps — uses storage/kv only.
|
|
253
|
+
*/
|
|
254
|
+
|
|
255
|
+
type ConfigLayerSource = 'override' | 'memory' | 'host_bridge' | 'storage_cache';
|
|
256
|
+
declare global {
|
|
257
|
+
interface Window {
|
|
258
|
+
/** Optional host-injected auth config (runtime). Lowest priority vs setConfig memory, above storage cache. */
|
|
259
|
+
__TENNEO_AUTH_HOST__?: Partial<SDKConfig>;
|
|
260
|
+
}
|
|
261
|
+
}
|
|
262
|
+
declare function setConfig(overrides: HostConfigOverride): void;
|
|
263
|
+
declare function setHostConfigProvider(fn: (() => Partial<SDKConfig> | null | undefined) | null): void;
|
|
264
|
+
interface FieldSourceMap {
|
|
265
|
+
tenantCode?: ConfigLayerSource;
|
|
266
|
+
tenantKey?: ConfigLayerSource;
|
|
267
|
+
apiBaseUrl?: ConfigLayerSource;
|
|
268
|
+
authServerUrl?: ConfigLayerSource;
|
|
269
|
+
callbackUrl?: ConfigLayerSource;
|
|
270
|
+
clientCode?: ConfigLayerSource;
|
|
271
|
+
clientId?: ConfigLayerSource;
|
|
272
|
+
tenantId?: ConfigLayerSource;
|
|
273
|
+
appId?: ConfigLayerSource;
|
|
274
|
+
}
|
|
275
|
+
/**
|
|
276
|
+
* Per-field source for debugging (first layer that supplied a non-empty value).
|
|
277
|
+
*/
|
|
278
|
+
declare function getConfigFieldSources(overrides?: HostConfigOverride): FieldSourceMap;
|
|
279
|
+
declare function getEffectiveTenantCode(overrides?: HostConfigOverride): string;
|
|
280
|
+
/** @alias getEffectiveTenantCode — tenant_key / tenant_code / clientCode from resolved config */
|
|
281
|
+
declare const getEffectiveTenantKey: typeof getEffectiveTenantCode;
|
|
282
|
+
interface GetAuthConfigOptions {
|
|
283
|
+
/** When true, throws if required OAuth / tenant fields are missing. */
|
|
284
|
+
strict?: boolean;
|
|
285
|
+
overrides?: HostConfigOverride;
|
|
286
|
+
}
|
|
287
|
+
declare class AuthConfigError extends Error {
|
|
288
|
+
readonly code = "AUTH_CONFIG_MISSING";
|
|
289
|
+
readonly missing: string[];
|
|
290
|
+
constructor(missing: string[], message?: string);
|
|
291
|
+
}
|
|
292
|
+
declare function resolveConfig(overrides?: HostConfigOverride): ResolvedConfig;
|
|
293
|
+
/**
|
|
294
|
+
* Persist a non-authoritative copy for early readers (bootstrap before React).
|
|
295
|
+
* Never use as sole source of truth — memory/host win at resolve time.
|
|
296
|
+
*/
|
|
297
|
+
/**
|
|
298
|
+
* After logout or host-driven updates: persist a cache snapshot from current resolved SDK config (non-empty fields only).
|
|
299
|
+
*/
|
|
300
|
+
declare function syncHostConfigCacheFromMemory(): void;
|
|
301
|
+
declare function writeHostConfigCache(partial: HostConfigOverride): void;
|
|
302
|
+
/**
|
|
303
|
+
* Host entrypoint: merge into memory and optionally refresh storage cache.
|
|
304
|
+
*/
|
|
305
|
+
declare function initPlugin(config: HostConfigOverride, opts?: {
|
|
306
|
+
syncStorageCache?: boolean;
|
|
307
|
+
}): void;
|
|
308
|
+
declare function logConfigResolutionDebug(context: string, overrides?: HostConfigOverride): void;
|
|
309
|
+
|
|
310
|
+
/**
|
|
311
|
+
* OAuth constants and storage keys. No config resolution — pure constants.
|
|
312
|
+
*/
|
|
313
|
+
declare const OAUTH_CONSTANTS: {
|
|
314
|
+
readonly SCOPES: "openid profile email";
|
|
315
|
+
readonly RESPONSE_TYPE: "code";
|
|
316
|
+
readonly CODE_CHALLENGE_METHOD: "S256";
|
|
317
|
+
readonly TOKEN_GRANT_TYPE: "authorization_code";
|
|
318
|
+
readonly REFRESH_GRANT_TYPE: "refresh_token";
|
|
319
|
+
};
|
|
320
|
+
declare const STORAGE_KEY_PREFIX = "tenneo_auth_";
|
|
321
|
+
declare const STORAGE_KEYS: {
|
|
322
|
+
readonly authServerUrl: "tenneo_auth_auth_server_url";
|
|
323
|
+
readonly clientId: "tenneo_auth_client_id";
|
|
324
|
+
readonly redirectUri: "tenneo_auth_redirect_uri";
|
|
325
|
+
readonly tenantId: "tenneo_auth_tenant_id";
|
|
326
|
+
readonly codeVerifier: "tenneo_auth_code_verifier";
|
|
327
|
+
readonly state: "tenneo_auth_state";
|
|
328
|
+
readonly accessToken: "tenneo_auth_access_token";
|
|
329
|
+
readonly refreshToken: "tenneo_auth_refresh_token";
|
|
330
|
+
readonly expiresAt: "tenneo_auth_expires_at";
|
|
331
|
+
};
|
|
332
|
+
|
|
333
|
+
/** Resolved config; pass `{ strict: true }` to fail fast if OAuth fields are missing. */
|
|
334
|
+
declare function getAuthConfig(options?: GetAuthConfigOptions): ResolvedConfig;
|
|
335
|
+
/** Fail fast when authServerUrl, callbackUrl, or tenant are missing. */
|
|
336
|
+
declare function requireAuthConfig(overrides?: HostConfigOverride): ResolvedConfig;
|
|
337
|
+
declare function getConfig(): ResolvedConfig;
|
|
338
|
+
declare const Config: {
|
|
339
|
+
readonly getApiBaseUrl: () => string;
|
|
340
|
+
readonly getAuthServerUrl: () => string;
|
|
341
|
+
readonly getClientCode: () => string;
|
|
342
|
+
readonly getRedirectUri: () => string;
|
|
343
|
+
readonly getAll: () => ResolvedConfig;
|
|
344
|
+
};
|
|
345
|
+
/**
|
|
346
|
+
* Apply tenant switch in runtime config (memory + optional cache). Does not read stale snapshots.
|
|
347
|
+
*/
|
|
348
|
+
declare function applyRuntimeTenantSwitch(tenantKey: string, opts?: {
|
|
349
|
+
syncStorageCache?: boolean;
|
|
350
|
+
}): void;
|
|
351
|
+
|
|
352
|
+
/**
|
|
353
|
+
* React Context Provider for authentication state (FINAL)
|
|
354
|
+
*/
|
|
355
|
+
|
|
356
|
+
interface AuthProviderProps {
|
|
357
|
+
children: React.ReactNode;
|
|
358
|
+
autoInit?: boolean;
|
|
359
|
+
/** Optional config object from host app (alternative to passing individual props). */
|
|
360
|
+
config?: SDKConfig;
|
|
361
|
+
/** Tenant code from host app (used to resolve tenant via GET /api/tenant/v1/public/tenants/by-code/{tenantCode}). */
|
|
362
|
+
tenantCode?: string;
|
|
363
|
+
/** Tenant resolution base URL (host app). */
|
|
364
|
+
apiBaseUrl?: string;
|
|
365
|
+
/** Authorization server URL (host app). */
|
|
366
|
+
authServerUrl?: string;
|
|
367
|
+
/** Callback/redirect URL (host app). */
|
|
368
|
+
callbackUrl?: string;
|
|
369
|
+
/** App id for storage namespacing (auth_${tenantId}_${appId}_*). */
|
|
370
|
+
appId?: string;
|
|
371
|
+
/** Optional storage adapter; default is SecureSessionStorageAdapter with namespacing. */
|
|
372
|
+
storageAdapter?: StorageAdapter | null;
|
|
373
|
+
}
|
|
374
|
+
/**
|
|
375
|
+
* AuthProvider – UI-facing auth state only
|
|
376
|
+
*/
|
|
377
|
+
declare function AuthProvider({ children, autoInit, config, tenantCode, apiBaseUrl, authServerUrl, callbackUrl, appId, storageAdapter, }: AuthProviderProps): React.JSX.Element;
|
|
378
|
+
|
|
379
|
+
interface AuthCallbackProps {
|
|
380
|
+
loginPath?: string;
|
|
381
|
+
successPath?: string;
|
|
382
|
+
homePath?: string;
|
|
383
|
+
}
|
|
384
|
+
declare function AuthCallback({ loginPath, successPath, homePath, }: AuthCallbackProps): React.JSX.Element;
|
|
385
|
+
|
|
386
|
+
interface ProtectedRouteProps {
|
|
387
|
+
children: React.ReactNode;
|
|
388
|
+
fallback?: React.ReactNode;
|
|
389
|
+
autoLogin?: boolean;
|
|
390
|
+
}
|
|
391
|
+
declare function ProtectedRoute({ children, fallback, autoLogin, }: ProtectedRouteProps): React.JSX.Element;
|
|
392
|
+
|
|
393
|
+
/**
|
|
394
|
+
* useAuth hook for accessing authentication state and methods
|
|
395
|
+
*/
|
|
396
|
+
|
|
397
|
+
/**
|
|
398
|
+
* Hook to access authentication state and methods
|
|
399
|
+
* @returns Authentication context value
|
|
400
|
+
*/
|
|
401
|
+
declare function useAuth(): AuthContextValue;
|
|
402
|
+
|
|
403
|
+
/**
|
|
404
|
+
* useAuthInit hook
|
|
405
|
+
*
|
|
406
|
+
* RULES:
|
|
407
|
+
* - Only prevents parallel init calls
|
|
408
|
+
* - Does NOT block based on flags (bootstrap handles that)
|
|
409
|
+
*/
|
|
410
|
+
interface UseAuthInitResult {
|
|
411
|
+
isLoading: boolean;
|
|
412
|
+
error: string | null;
|
|
413
|
+
init: () => Promise<void>;
|
|
414
|
+
}
|
|
415
|
+
declare function useAuthInit(): UseAuthInitResult;
|
|
416
|
+
|
|
417
|
+
/**
|
|
418
|
+
* Framework-agnostic runtime interfaces for the auth core.
|
|
419
|
+
* No React, window, or document dependencies.
|
|
420
|
+
*/
|
|
421
|
+
|
|
422
|
+
/** Current URL snapshot (replaces direct window.location usage in core). */
|
|
423
|
+
interface CurrentUrl {
|
|
424
|
+
href: string;
|
|
425
|
+
origin: string;
|
|
426
|
+
pathname: string;
|
|
427
|
+
search: string;
|
|
428
|
+
hostname: string;
|
|
429
|
+
}
|
|
430
|
+
/** Logger interface – no console in core. */
|
|
431
|
+
interface Logger {
|
|
432
|
+
info(message: string, meta?: Record<string, unknown>): void;
|
|
433
|
+
warn(message: string, meta?: Record<string, unknown>): void;
|
|
434
|
+
error(message: string, meta?: Record<string, unknown>): void;
|
|
435
|
+
debug(message: string, meta?: Record<string, unknown>): void;
|
|
436
|
+
}
|
|
437
|
+
/** URL and navigation – replaces window.location / window.history in core. */
|
|
438
|
+
interface UrlProvider {
|
|
439
|
+
getCurrentUrl(): CurrentUrl;
|
|
440
|
+
/** Full redirect (e.g. window.location.replace). */
|
|
441
|
+
redirect(url: string): void;
|
|
442
|
+
/** Soft replace (e.g. history.replaceState) without reload. */
|
|
443
|
+
replaceState(url: string): void;
|
|
444
|
+
}
|
|
445
|
+
/** Configuration – replaces direct Config / window.__APP_CONFIG__ in core. */
|
|
446
|
+
interface ConfigProvider {
|
|
447
|
+
getApiBaseUrl(): string;
|
|
448
|
+
getAuthServerUrl(): string;
|
|
449
|
+
getRedirectUri(): string;
|
|
450
|
+
getClientCode(): string;
|
|
451
|
+
}
|
|
452
|
+
/** Tenant resolution – replaces direct tenant API usage in core. */
|
|
453
|
+
interface TenantResolver {
|
|
454
|
+
resolve(tenantKey: string): Promise<TenantConfig | null>;
|
|
455
|
+
}
|
|
456
|
+
/** Optional: clear cookies (e.g. on logout). Called by core when provided. */
|
|
457
|
+
interface CookieClearer {
|
|
458
|
+
clearCookies(): void;
|
|
459
|
+
}
|
|
460
|
+
/**
|
|
461
|
+
* Auth runtime: all external dependencies injected.
|
|
462
|
+
* Core uses only this; no direct browser or framework APIs.
|
|
463
|
+
*/
|
|
464
|
+
interface AuthRuntime {
|
|
465
|
+
/** Required. Token + key-value storage. */
|
|
466
|
+
storageAdapter: StorageAdapter;
|
|
467
|
+
storageNamespace: StorageNamespace;
|
|
468
|
+
/** Required. No console.log in core. */
|
|
469
|
+
logger: Logger;
|
|
470
|
+
/** Required for redirects and URL checks. */
|
|
471
|
+
urlProvider: UrlProvider;
|
|
472
|
+
/** Required for OAuth and tenant config. */
|
|
473
|
+
configProvider: ConfigProvider;
|
|
474
|
+
/** Required for resolving tenant by key. */
|
|
475
|
+
tenantResolver: TenantResolver;
|
|
476
|
+
/** Optional. If not set, core will not clear cookies on logout. */
|
|
477
|
+
clearCookies?: CookieClearer;
|
|
478
|
+
}
|
|
479
|
+
|
|
480
|
+
/**
|
|
481
|
+
* Runtime context: single get/set for auth runtime.
|
|
482
|
+
* Core reads from here; host (e.g. React layer) sets before any core code runs.
|
|
483
|
+
*/
|
|
484
|
+
|
|
485
|
+
declare function setAuthRuntime(runtime: AuthRuntime | null): void;
|
|
486
|
+
declare function getAuthRuntime(): AuthRuntime | null;
|
|
487
|
+
|
|
488
|
+
/**
|
|
489
|
+
* Auth strategy interface for pluggable authentication.
|
|
490
|
+
* Engine and bootstrap depend on this interface, not concrete OAuth2 PKCE.
|
|
491
|
+
*/
|
|
492
|
+
|
|
493
|
+
interface AuthStrategy {
|
|
494
|
+
/** Start the auth flow (e.g. redirect to IdP). */
|
|
495
|
+
initiate(tenantConfig: TenantConfig): Promise<void>;
|
|
496
|
+
/** Handle OAuth callback (code exchange). Returns true if callback was handled. */
|
|
497
|
+
handleCallback(): Promise<boolean>;
|
|
498
|
+
/** Refresh access token. Returns new access token or throws. */
|
|
499
|
+
refresh(): Promise<string>;
|
|
500
|
+
/** Log out and clear session. */
|
|
501
|
+
logout(options?: {
|
|
502
|
+
tenantKey?: string;
|
|
503
|
+
}): Promise<void>;
|
|
504
|
+
}
|
|
505
|
+
|
|
506
|
+
/**
|
|
507
|
+
* Auth engine types. No React, no browser globals.
|
|
508
|
+
*/
|
|
509
|
+
|
|
510
|
+
type AuthEngineConfig = AuthRuntime & {
|
|
511
|
+
strategy?: AuthStrategy;
|
|
512
|
+
};
|
|
513
|
+
interface AuthEngineState {
|
|
514
|
+
status: 'idle' | 'loading' | 'authenticated' | 'unauthenticated' | 'error';
|
|
515
|
+
accessToken: string | null;
|
|
516
|
+
expiresAt: number | null;
|
|
517
|
+
error: string | null;
|
|
518
|
+
}
|
|
519
|
+
type AuthStateListener = (state: AuthEngineState) => void;
|
|
520
|
+
type Unsubscribe = () => void;
|
|
521
|
+
interface AuthEngine {
|
|
522
|
+
init(): Promise<void>;
|
|
523
|
+
login(): Promise<void>;
|
|
524
|
+
logout(options?: {
|
|
525
|
+
tenantKey?: string;
|
|
526
|
+
}): Promise<void>;
|
|
527
|
+
refresh(): Promise<string>;
|
|
528
|
+
getAccessToken(): Promise<string>;
|
|
529
|
+
handleCallback(): Promise<boolean>;
|
|
530
|
+
subscribe(listener: AuthStateListener): Unsubscribe;
|
|
531
|
+
getState(): AuthEngineState;
|
|
532
|
+
}
|
|
533
|
+
|
|
534
|
+
/**
|
|
535
|
+
* Creates the auth engine. No React, no direct browser usage.
|
|
536
|
+
*/
|
|
537
|
+
|
|
538
|
+
declare function createAuthEngine(config: AuthEngineConfig): AuthEngine;
|
|
539
|
+
|
|
540
|
+
/**
|
|
541
|
+
* OAuth2 PKCE implementation of AuthStrategy.
|
|
542
|
+
* Wraps initiateAuthFlow, handleCallback, refreshAccessToken, and logout.
|
|
543
|
+
*/
|
|
544
|
+
|
|
545
|
+
declare function createOAuth2PkceStrategy(): AuthStrategy;
|
|
546
|
+
|
|
547
|
+
/**
|
|
548
|
+
* Runtime-backed facade for domain tenant/callback helpers.
|
|
549
|
+
* Provides extractTenantKey(), isCallbackUrl(), isLocalhost() for public API and internal use.
|
|
550
|
+
* Uses runtime when set; falls back to window for backward compatibility.
|
|
551
|
+
*/
|
|
552
|
+
|
|
553
|
+
declare function extractTenantKey(): string | null;
|
|
554
|
+
declare function isCallbackUrl(): boolean;
|
|
555
|
+
|
|
556
|
+
/**
|
|
557
|
+
* Tenant resolution API client.
|
|
558
|
+
* Resolves tenant configuration via GET /api/tenant/v1/public/tenants/by-code/{tenantCode}.
|
|
559
|
+
*/
|
|
560
|
+
|
|
561
|
+
declare function resolveTenant(tenantKey: string): Promise<TenantConfig | null>;
|
|
562
|
+
|
|
563
|
+
/**
|
|
564
|
+
* Security and error utilities for authentication.
|
|
565
|
+
* Domain layer: sanitized errors and HTTPS enforcement.
|
|
566
|
+
*/
|
|
567
|
+
declare function enforceHttps(allowLocalhost?: boolean): void;
|
|
568
|
+
declare function sanitizeErrorMessage(error: unknown, genericMessage: string): string;
|
|
569
|
+
declare class SanitizedError extends Error {
|
|
570
|
+
readonly code: string;
|
|
571
|
+
readonly originalMessage?: string;
|
|
572
|
+
constructor(code: string, genericMessage: string, originalError?: unknown);
|
|
573
|
+
}
|
|
574
|
+
|
|
575
|
+
/**
|
|
576
|
+
* Cookie watcher to detect cookie deletion and clear session.
|
|
577
|
+
* Infrastructure layer: uses storage and callback; application sets callback to bootstrap.
|
|
578
|
+
*/
|
|
579
|
+
declare function startCookieWatcher(): void;
|
|
580
|
+
declare function stopCookieWatcher(): void;
|
|
581
|
+
declare function resetCookieWatcher(): void;
|
|
582
|
+
|
|
583
|
+
/**
|
|
584
|
+
* Storage watcher to detect manual storage clears and restart auth flow.
|
|
585
|
+
* Infrastructure layer: uses storage and callback; application sets callback to bootstrap.
|
|
586
|
+
*/
|
|
587
|
+
declare function startStorageWatcher(): void;
|
|
588
|
+
declare function stopStorageWatcher(): void;
|
|
589
|
+
|
|
590
|
+
/**
|
|
591
|
+
* Suppress watcher side effects during intentional auth teardown (e.g. logout).
|
|
592
|
+
* Deterministic: set before storage/cookie mutation, clear after cleanup completes.
|
|
593
|
+
*/
|
|
594
|
+
declare function suspendWatchers(): number;
|
|
595
|
+
declare function resumeWatchers(expectedGen?: number): void;
|
|
596
|
+
declare function areWatchersSuspended(): boolean;
|
|
597
|
+
|
|
598
|
+
/**
|
|
599
|
+
* Structured auth event emitter for observability and audit.
|
|
600
|
+
*/
|
|
601
|
+
declare const AuthEventNames: {
|
|
602
|
+
readonly LOGIN_STARTED: "LOGIN_STARTED";
|
|
603
|
+
readonly LOGIN_SUCCESS: "LOGIN_SUCCESS";
|
|
604
|
+
readonly LOGIN_FAILED: "LOGIN_FAILED";
|
|
605
|
+
readonly CALLBACK_SUCCESS: "CALLBACK_SUCCESS";
|
|
606
|
+
readonly CALLBACK_FAILED: "CALLBACK_FAILED";
|
|
607
|
+
readonly TOKEN_REFRESH_SUCCESS: "TOKEN_REFRESH_SUCCESS";
|
|
608
|
+
readonly TOKEN_REFRESH_FAILED: "TOKEN_REFRESH_FAILED";
|
|
609
|
+
readonly TENANT_SWITCHED: "TENANT_SWITCHED";
|
|
610
|
+
readonly LOGOUT_COMPLETED: "LOGOUT_COMPLETED";
|
|
611
|
+
readonly BOOTSTRAP_STATE_DETECTED: "BOOTSTRAP_STATE_DETECTED";
|
|
612
|
+
readonly REDIRECT_LOOP_RISK: "REDIRECT_LOOP_RISK";
|
|
613
|
+
};
|
|
614
|
+
type AuthEventName = (typeof AuthEventNames)[keyof typeof AuthEventNames];
|
|
615
|
+
interface AuthEventPayload {
|
|
616
|
+
state?: string;
|
|
617
|
+
tenantKey?: string;
|
|
618
|
+
error?: string;
|
|
619
|
+
message?: string;
|
|
620
|
+
[key: string]: unknown;
|
|
621
|
+
}
|
|
622
|
+
type AuthEventHandler = (payload?: AuthEventPayload) => void;
|
|
623
|
+
declare function emitAuthEvent(event: AuthEventName, payload?: AuthEventPayload): void;
|
|
624
|
+
declare function subscribeAuthEvent(event: AuthEventName | '*', handler: AuthEventHandler): () => void;
|
|
625
|
+
|
|
626
|
+
export { AuthCallback, AuthConfigError, type AuthContextValue, type AuthEngine, type AuthEngineConfig, type AuthEngineState, type AuthEventHandler, type AuthEventName, AuthEventNames, type AuthEventPayload, AuthProvider, type AuthRuntime, type AuthState, type AuthStateListener, type AuthStrategy, type AuthTokens, Config, type ConfigLayerSource, type ConfigProvider, type CookieClearer, type CurrentUrl, type EnvConfig, type FieldSourceMap, type GetAuthConfigOptions, type HostConfigOverride, type Logger, OAUTH_CONSTANTS, ProtectedRoute, type ResolvedConfig, type SDKConfig, STORAGE_KEYS, STORAGE_KEY_PREFIX, SanitizedError, type StorageAdapter, type StorageNamespace, type TenantConfig, type TenantResolver, type TokenResponse, type TokenStorageAdapter, type Unsubscribe, type UrlProvider, applyRuntimeTenantSwitch, areWatchersSuspended, bootstrap, buildStorageKey, createAuthEngine, createCookieStorageAdapter, createMemoryStorageAdapter, createOAuth2PkceStrategy, createSecureSessionStorageAdapter, emitAuthEvent, enforceHttps, ensureValidAccessToken, extractTenantKey, getAccessToken$1 as getAccessToken, getAuthConfig, getAuthRuntime, getConfig, getConfigFieldSources, getEffectiveTenantCode, getEffectiveTenantKey, getStorageAdapter, getStorageNamespace, getAccessToken as getStoredAccessToken, initPlugin, isAccessTokenExpired, isCallbackUrl, logConfigResolutionDebug, logout, refreshAccessToken, requireAuthConfig, resetCookieWatcher, resolveConfig, resolveTenant, resumeWatchers, sanitizeErrorMessage, setAuthRuntime, setConfig, setHostConfigProvider, setStorageContext, startCookieWatcher, startStorageWatcher, stopCookieWatcher, stopStorageWatcher, subscribeAuthEvent, suspendWatchers, syncHostConfigCacheFromMemory, useAuth, useAuthContext, useAuthInit, writeHostConfigCache };
|