valtech-components 4.0.34 → 4.0.35

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (32) hide show
  1. package/esm2022/lib/services/auth/auth.service.mjs +28 -20
  2. package/esm2022/lib/services/auth/oauth-callback.component.mjs +13 -1
  3. package/esm2022/lib/services/auth/oauth.service.mjs +83 -8
  4. package/esm2022/lib/services/auth/storage.service.mjs +7 -11
  5. package/esm2022/lib/services/auth/types.mjs +1 -1
  6. package/esm2022/lib/services/link-processor.service.mjs +27 -5
  7. package/esm2022/lib/services/requests/request-visibility.mjs +41 -0
  8. package/esm2022/lib/services/requests/types.mjs +1 -1
  9. package/esm2022/lib/version.mjs +2 -2
  10. package/esm2022/public-api.mjs +2 -1
  11. package/fesm2022/valtech-components.mjs +195 -41
  12. package/fesm2022/valtech-components.mjs.map +1 -1
  13. package/lib/components/atoms/rights-footer/rights-footer.component.d.ts +1 -1
  14. package/lib/components/atoms/text/text.component.d.ts +1 -1
  15. package/lib/components/atoms/user-avatar/user-avatar.component.d.ts +1 -1
  16. package/lib/components/molecules/cta-card/cta-card.component.d.ts +1 -1
  17. package/lib/components/molecules/features-list/features-list.component.d.ts +1 -1
  18. package/lib/components/molecules/metric-card/metric-card.component.d.ts +1 -1
  19. package/lib/components/molecules/username-input/username-input.component.d.ts +1 -1
  20. package/lib/components/organisms/article/article.component.d.ts +4 -4
  21. package/lib/components/organisms/auth-cta/auth-cta.component.d.ts +1 -1
  22. package/lib/components/organisms/landing-steps/landing-steps.component.d.ts +1 -1
  23. package/lib/services/auth/oauth-callback.component.d.ts +6 -0
  24. package/lib/services/auth/oauth.service.d.ts +28 -0
  25. package/lib/services/auth/storage.service.d.ts +1 -1
  26. package/lib/services/auth/types.d.ts +6 -0
  27. package/lib/services/link-processor.service.d.ts +12 -0
  28. package/lib/services/requests/request-visibility.d.ts +35 -0
  29. package/lib/services/requests/types.d.ts +7 -2
  30. package/lib/version.d.ts +1 -1
  31. package/package.json +1 -1
  32. package/public-api.d.ts +1 -0
@@ -43,7 +43,7 @@ export declare class RightsFooterComponent {
43
43
  /**
44
44
  * Computed helper for color prop in template.
45
45
  */
46
- propsColor: import("@angular/core").Signal<"dark" | "primary" | "secondary" | "tertiary" | "success" | "warning" | "danger" | "light" | "medium">;
46
+ propsColor: import("@angular/core").Signal<"light" | "dark" | "medium" | "success" | "warning" | "danger" | "primary" | "secondary" | "tertiary">;
47
47
  /**
48
48
  * Computed helper for withMargin prop in template.
49
49
  */
@@ -11,7 +11,7 @@ export declare class TextComponent {
11
11
  */
12
12
  displayContent: import("@angular/core").Signal<string>;
13
13
  propsColor: import("@angular/core").Signal<import("@ionic/core").Color>;
14
- propsSize: import("@angular/core").Signal<"medium" | "small" | "large" | "xlarge">;
14
+ propsSize: import("@angular/core").Signal<"small" | "medium" | "large" | "xlarge">;
15
15
  propsBold: import("@angular/core").Signal<boolean>;
16
16
  propsProcessLinks: import("@angular/core").Signal<boolean>;
17
17
  propsAllowPartialBold: import("@angular/core").Signal<boolean>;
@@ -38,7 +38,7 @@ export declare class UserAvatarComponent {
38
38
  readonly imageUrl: import("@angular/core").Signal<string>;
39
39
  /** Iniciales — 1-2 chars derivados de name (preferred) o email prefix. */
40
40
  readonly initials: import("@angular/core").Signal<string>;
41
- readonly sizeClass: import("@angular/core").Signal<"medium" | "small" | "large" | "xlarge" | "xsmall">;
41
+ readonly sizeClass: import("@angular/core").Signal<"small" | "medium" | "large" | "xlarge" | "xsmall">;
42
42
  readonly shapeClass: import("@angular/core").Signal<"circle" | "square">;
43
43
  /** Background — explicito o derivado deterministicamente del user. */
44
44
  readonly bgColor: import("@angular/core").Signal<string>;
@@ -35,7 +35,7 @@ export declare class CtaCardComponent {
35
35
  /** Emitted with the token of the clicked action button */
36
36
  onAction: EventEmitter<string>;
37
37
  /** Merged configuration with defaults */
38
- config: import("@angular/core").Signal<CtaCardMetadata & Required<Pick<CtaCardMetadata, "padding" | "borderRadius" | "bordered" | "shadowed" | "align">>>;
38
+ config: import("@angular/core").Signal<CtaCardMetadata & Required<Pick<CtaCardMetadata, "borderRadius" | "bordered" | "shadowed" | "align" | "padding">>>;
39
39
  getBackground(): string;
40
40
  getColor(): string | null;
41
41
  static ɵfac: i0.ɵɵFactoryDeclaration<CtaCardComponent, never>;
@@ -41,7 +41,7 @@ export declare class FeaturesListComponent {
41
41
  iconColor: string;
42
42
  iconSize: number;
43
43
  mode: "horizontal" | "vertical";
44
- gap: "medium" | "small" | "large";
44
+ gap: "small" | "medium" | "large";
45
45
  alignment: "center" | "start";
46
46
  imageShape: "circle" | "square";
47
47
  maxVisible: number;
@@ -28,7 +28,7 @@ export declare class MetricCardComponent {
28
28
  /** Emitted with the token of the clicked action */
29
29
  onAction: EventEmitter<string>;
30
30
  /** Merged configuration with defaults */
31
- config: import("@angular/core").Signal<MetricCardMetadata & Required<Pick<MetricCardMetadata, "padding" | "borderRadius" | "bordered" | "shadowed">>>;
31
+ config: import("@angular/core").Signal<MetricCardMetadata & Required<Pick<MetricCardMetadata, "borderRadius" | "bordered" | "shadowed" | "padding">>>;
32
32
  static ɵfac: i0.ɵɵFactoryDeclaration<MetricCardComponent, never>;
33
33
  static ɵcmp: i0.ɵɵComponentDeclaration<MetricCardComponent, "val-metric-card", never, { "props": { "alias": "props"; "required": false; "isSignal": true; }; }, { "onAction": "onAction"; }, never, never, true, never>;
34
34
  }
@@ -35,7 +35,7 @@ export declare class UsernameInputComponent implements OnInit, OnDestroy {
35
35
  availabilityStatus: import("@angular/core").WritableSignal<UsernameAvailabilityStatus>;
36
36
  hasError: import("@angular/core").Signal<boolean>;
37
37
  showStatusMessage: import("@angular/core").Signal<boolean>;
38
- statusColor: import("@angular/core").Signal<"success" | "danger">;
38
+ statusColor: import("@angular/core").Signal<"danger" | "success">;
39
39
  statusMessage: import("@angular/core").Signal<"" | "Username disponible" | "Username ya está en uso">;
40
40
  errorMessage: import("@angular/core").Signal<string>;
41
41
  ngOnInit(): void;
@@ -45,7 +45,7 @@ export declare class ArticleComponent implements OnInit {
45
45
  getVideoElement(element: ArticleElement): ArticleVideoElement;
46
46
  getCustomElement(element: ArticleElement): ArticleCustomElement;
47
47
  getQuoteTextProps(element: ArticleElement): {
48
- size: "medium" | "small" | "large" | "xlarge";
48
+ size: "small" | "medium" | "large" | "xlarge";
49
49
  color: import("@ionic/core").Color;
50
50
  content?: string;
51
51
  bold: boolean;
@@ -61,7 +61,7 @@ export declare class ArticleComponent implements OnInit {
61
61
  showQuoteMark?: boolean;
62
62
  };
63
63
  getHighlightTextProps(element: ArticleElement): {
64
- size: "medium" | "small" | "large" | "xlarge";
64
+ size: "small" | "medium" | "large" | "xlarge";
65
65
  color: import("@ionic/core").Color;
66
66
  content?: string;
67
67
  bold: boolean;
@@ -92,8 +92,8 @@ export declare class ArticleComponent implements OnInit {
92
92
  icon?: import("valtech-components").IconMetada;
93
93
  shape?: "round";
94
94
  size?: "default" | "small" | "large";
95
- fill?: "default" | "solid" | "clear" | "outline";
96
- type: "submit" | "button" | "reset";
95
+ fill?: "default" | "outline" | "clear" | "solid";
96
+ type: "reset" | "submit" | "button";
97
97
  token?: string;
98
98
  ref?: any;
99
99
  handler?: (value: any) => any;
@@ -35,7 +35,7 @@ export declare class AuthCtaComponent {
35
35
  onRegister: EventEmitter<void>;
36
36
  constructor();
37
37
  /** Merged configuration with defaults */
38
- config: import("@angular/core").Signal<AuthCtaMetadata & Required<Pick<AuthCtaMetadata, "padding" | "borderRadius" | "align">>>;
38
+ config: import("@angular/core").Signal<AuthCtaMetadata & Required<Pick<AuthCtaMetadata, "borderRadius" | "align" | "padding">>>;
39
39
  loginLabel: import("@angular/core").Signal<string>;
40
40
  registerLabel: import("@angular/core").Signal<string>;
41
41
  resolvedBg: import("@angular/core").Signal<string>;
@@ -4,7 +4,7 @@ export declare class LandingStepsComponent {
4
4
  private readonly props_;
5
5
  set props(v: LandingStepsMetadata);
6
6
  readonly p: import("@angular/core").Signal<LandingStepsMetadata>;
7
- readonly cols: import("@angular/core").Signal<2 | 3 | 4>;
7
+ readonly cols: import("@angular/core").Signal<4 | 2 | 3>;
8
8
  readonly accentColor: import("@angular/core").Signal<string>;
9
9
  static ɵfac: i0.ɵɵFactoryDeclaration<LandingStepsComponent, never>;
10
10
  static ɵcmp: i0.ɵɵComponentDeclaration<LandingStepsComponent, "val-landing-steps", never, { "props": { "alias": "props"; "required": false; }; }, {}, never, never, true, never>;
@@ -25,6 +25,12 @@ import * as i0 from "@angular/core";
25
25
  */
26
26
  export declare class OAuthCallbackComponent implements OnInit {
27
27
  message: string;
28
+ /**
29
+ * Nonce que el opener generó y pasó por el flujo (round-trip backend). Se
30
+ * reenvía al opener en cada mensaje para que verifique el origen del callback
31
+ * y rechace un oauth_callback_data forjado en localStorage por XSS (M-07).
32
+ */
33
+ private clientNonce;
28
34
  ngOnInit(): void;
29
35
  private processCallback;
30
36
  private sendToParent;
@@ -44,6 +44,13 @@ export declare class OAuthService {
44
44
  private popup;
45
45
  private messageHandler;
46
46
  private checkClosedInterval;
47
+ /**
48
+ * Nonce del flujo OAuth en curso (M-07). Vive SOLO en memoria — un XSS no lo
49
+ * puede leer de localStorage/sessionStorage. Viaja al backend (client_nonce),
50
+ * vuelve en el callback, y se verifica acá → rechaza un oauth_callback_data
51
+ * forjado por XSS.
52
+ */
53
+ private expectedNonce;
47
54
  constructor(config: ValtechAuthConfig | null, http: HttpClient, ngZone: NgZone);
48
55
  /**
49
56
  * Inicia flujo OAuth en popup.
@@ -94,6 +101,27 @@ export declare class OAuthService {
94
101
  * Limpia recursos del popup.
95
102
  */
96
103
  private cleanup;
104
+ /**
105
+ * Genera un nonce aleatorio (CSPRNG) url-safe para el flujo OAuth (M-07).
106
+ */
107
+ private generateNonce;
108
+ /**
109
+ * Verifica que el callback traiga el nonce del flujo actual (M-07).
110
+ *
111
+ * Estricto: si el opener generó un nonce (siempre, en clientes nuevos) exige
112
+ * que el callback lo traiga y coincida. Un payload forjado en localStorage por
113
+ * XSS no conoce el nonce (vive solo en memoria) → se rechaza.
114
+ *
115
+ * ⚠️ Requiere que el backend ya eche `client_nonce` en el callback. Deploy:
116
+ * backend ANTES que el frontend, si no este check rechaza callbacks legítimos
117
+ * (sin nonce) durante la ventana de transición.
118
+ */
119
+ private isNonceValid;
120
+ /**
121
+ * Valida la forma del payload del callback (M-07): debe ser un error o tokens
122
+ * como objeto. Bloquea inyecciones malformadas (primitivos, shapes basura).
123
+ */
124
+ private isCallbackShapeValid;
97
125
  static ɵfac: i0.ɵɵFactoryDeclaration<OAuthService, [{ optional: true; }, null, null]>;
98
126
  static ɵprov: i0.ɵɵInjectableDeclaration<OAuthService>;
99
127
  }
@@ -23,7 +23,7 @@ export declare class AuthStorageService {
23
23
  /**
24
24
  * Guarda el refresh token (token rotation).
25
25
  */
26
- saveRefreshToken(token: string): void;
26
+ saveRefreshToken(_token: string): void;
27
27
  /**
28
28
  * Guarda los permisos actualizados.
29
29
  */
@@ -852,6 +852,12 @@ export interface OAuthCallbackData {
852
852
  tokens?: OAuthResult;
853
853
  /** Error (si falló) */
854
854
  error?: OAuthError;
855
+ /**
856
+ * Nonce del opener (M-07). El popup lo recibe del backend (round-trip por el
857
+ * OAuthState firmado) y lo reenvía; el opener lo verifica contra el que generó
858
+ * en memoria → rechaza un oauth_callback_data forjado en localStorage por XSS.
859
+ */
860
+ nonce?: string;
855
861
  }
856
862
  /**
857
863
  * Proveedor OAuth vinculado al usuario.
@@ -65,6 +65,18 @@ export declare class LinkProcessorService {
65
65
  * ```
66
66
  */
67
67
  processLinks(text: string, config?: LinkProcessorConfig): SafeHtml | string;
68
+ /**
69
+ * Devuelve un valor seguro para el atributo href. Como processLinks usa
70
+ * bypassSecurityTrustHtml (desactiva la sanitización automática de Angular),
71
+ * cada URL se valida explícitamente: el sanitizador de Angular neutraliza
72
+ * esquemas peligrosos (javascript:, data:, vbscript:) prefijándolos con
73
+ * `unsafe:`, y luego se escapa el resultado para el contexto de atributo —
74
+ * evitando que una URL como `[x](javascript:alert(1))` o `http://a" onx="..."`
75
+ * inyecte script o atributos.
76
+ */
77
+ private safeHref;
78
+ /** Escapa los caracteres especiales de HTML (texto y valores de atributo). */
79
+ private escapeHtml;
68
80
  /**
69
81
  * Detecta si un texto contiene enlaces (URLs, rutas internas o enlaces Markdown).
70
82
  *
@@ -0,0 +1,35 @@
1
+ import { RequestTypeConfig } from './types';
2
+ /**
3
+ * Contexto del viewer para decidir qué tipos de solicitud puede ver/enviar.
4
+ * Lo arma la app desde su estado de auth (AuthService).
5
+ */
6
+ export interface RequestViewerContext {
7
+ /** Hay sesión activa. */
8
+ isAuthenticated: boolean;
9
+ /**
10
+ * Usuario activo/verificado (claim `verified` del token = Status ACTIVE).
11
+ * Solo relevante si isAuthenticated. Si se omite, se asume verificado
12
+ * (en la práctica el signin solo emite tokens a cuentas ACTIVE).
13
+ */
14
+ isVerified?: boolean;
15
+ /** Org activa del usuario (para tipos ORG/INTERNAL). */
16
+ activeOrg?: string;
17
+ }
18
+ /**
19
+ * ¿Este viewer puede ENVIAR una solicitud de este tipo? Espeja el gate
20
+ * server-side (`backend/.../request: submissionTargetOrg`). Es solo UX — el
21
+ * backend siempre valida —, pero evita que cada app reimplemente (mal) el filtro:
22
+ *
23
+ * - PUBLIC → cualquiera (anónimo solo si allowAnonymous).
24
+ * - AUTHENTICATED → logueado + verificado (cross-org).
25
+ * - ORG/INTERNAL → miembro de la org dueña (activeOrg === type.orgId).
26
+ */
27
+ export declare function canSubmitRequestType(type: RequestTypeConfig, ctx: RequestViewerContext): boolean;
28
+ /** Filtra el catálogo a los tipos que el viewer puede enviar. */
29
+ export declare function selectableRequestTypes(types: RequestTypeConfig[], ctx: RequestViewerContext): RequestTypeConfig[];
30
+ /**
31
+ * Modo de envío a usar: `'anonymous'` solo para tipos PUBLIC + allowAnonymous sin
32
+ * sesión; en el resto `'authenticated'`. Mapea a
33
+ * `RequestService.createAnonymousRequest` vs `createRequest`.
34
+ */
35
+ export declare function requestSubmitMode(type: RequestTypeConfig, ctx: RequestViewerContext): 'anonymous' | 'authenticated';
@@ -49,7 +49,7 @@ export interface FieldSchemaDef {
49
49
  order: number;
50
50
  }
51
51
  /** Quién puede leer un tipo de solicitud (y sus solicitudes públicas). */
52
- export type RequestVisibility = 'PUBLIC' | 'ORG' | 'INTERNAL';
52
+ export type RequestVisibility = 'PUBLIC' | 'AUTHENTICATED' | 'ORG' | 'INTERNAL';
53
53
  export interface RequestTypeConfig {
54
54
  typeId: string;
55
55
  appId: string;
@@ -58,7 +58,12 @@ export interface RequestTypeConfig {
58
58
  labelEn: string;
59
59
  fieldSchema: FieldSchemaDef[];
60
60
  allowAnonymous: boolean;
61
- /** PUBLIC: cualquiera · ORG/INTERNAL: solo miembros de la org. Default ORG. */
61
+ /**
62
+ * Quién puede leer/enviar este tipo (debe coincidir con el backend):
63
+ * - PUBLIC cualquiera, incluso sin login (anónimo si allowAnonymous).
64
+ * - AUTHENTICATED cualquier usuario logueado + verificado, cross-org.
65
+ * - ORG/INTERNAL solo miembros de la org dueña. Default ORG.
66
+ */
62
67
  visibility?: RequestVisibility;
63
68
  createdAt: string;
64
69
  updatedAt: string;
package/lib/version.d.ts CHANGED
@@ -2,4 +2,4 @@
2
2
  * Current version of valtech-components.
3
3
  * This is automatically updated during the publish process.
4
4
  */
5
- export declare const VERSION = "4.0.34";
5
+ export declare const VERSION = "4.0.35";
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "valtech-components",
3
- "version": "4.0.34",
3
+ "version": "4.0.35",
4
4
  "private": false,
5
5
  "bin": {
6
6
  "valtech-firebase-config": "./src/lib/services/firebase/scripts/generate-sw-config.js"
package/public-api.d.ts CHANGED
@@ -429,6 +429,7 @@ export * from './lib/services/requests/types';
429
429
  export * from './lib/services/requests/request.service';
430
430
  export * from './lib/services/requests/request-form-builder.service';
431
431
  export * from './lib/services/requests/request-firestore.service';
432
+ export * from './lib/services/requests/request-visibility';
432
433
  export * from './lib/components/organisms/article-strip/article-strip.component';
433
434
  export * from './lib/components/organisms/article-strip/types';
434
435
  export * from './lib/components/molecules/metric-card/metric-card.component';