win-portal-auth-sdk 1.0.0 → 1.1.0

package/dist/client/api/oauth.api.js

@@ -0,0 +1,258 @@
+"use strict";
+/**
+ * OAuth 2.0 & OpenID Connect API
+ *
+ * Client methods for OAuth 2.0 Authorization Code Flow with PKCE
+ * and OpenID Connect authentication
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateState = exports.generatePKCE = exports.OAuthAPI = void 0;
+class OAuthAPI {
+    constructor(client, config) {
+        this.client = client;
+        this.config = config;
+    }
+    /**
+     * Generate authorization URL for OAuth 2.0 Authorization Code Flow
+     *
+     * @example
+     * ```typescript
+     * const pkce = generatePKCE(); // Helper function (implement separately)
+     * const authUrl = oauth.getAuthorizationUrl({
+     *   state: 'random_state_string',
+     *   codeChallenge: pkce.codeChallenge,
+     *   codeChallengeMethod: 'S256',
+     *   scope: 'openid profile email'
+     * });
+     * // Redirect user to authUrl
+     * window.location.href = authUrl;
+     * ```
+     */
+    getAuthorizationUrl(options = {}) {
+        const baseUrl = this.client['client'].defaults.baseURL;
+        const params = new URLSearchParams({
+            client_id: this.config.clientId,
+            redirect_uri: this.config.redirectUri,
+            response_type: options.responseType || 'code',
+            scope: options.scope || this.config.scope || 'openid profile email',
+        });
+        if (options.state) {
+            params.append('state', options.state);
+        }
+        if (options.codeChallenge) {
+            params.append('code_challenge', options.codeChallenge);
+            params.append('code_challenge_method', options.codeChallengeMethod || 'S256');
+        }
+        return `${baseUrl}/oauth/authorize?${params.toString()}`;
+    }
+    /**
+     * Exchange authorization code for access token
+     *
+     * @example
+     * ```typescript
+     * // After user is redirected back with code
+     * const urlParams = new URLSearchParams(window.location.search);
+     * const code = urlParams.get('code');
+     *
+     * const tokens = await oauth.exchangeCodeForToken(code, {
+     *   codeVerifier: pkce.codeVerifier // From PKCE generation
+     * });
+     *
+     * console.log('Access Token:', tokens.access_token);
+     * console.log('ID Token:', tokens.id_token);
+     * ```
+     */
+    async exchangeCodeForToken(code, options = {}) {
+        const data = {
+            grant_type: 'authorization_code',
+            code,
+            redirect_uri: this.config.redirectUri,
+            client_id: this.config.clientId,
+        };
+        // Add client_secret for confidential clients
+        if (this.config.clientSecret) {
+            data.client_secret = this.config.clientSecret;
+        }
+        // Add PKCE code_verifier if provided
+        if (options.codeVerifier) {
+            data.code_verifier = options.codeVerifier;
+        }
+        const response = await this.client.post('/oauth/token', data);
+        return response.data;
+    }
+    /**
+     * Refresh access token using refresh token
+     *
+     * @example
+     * ```typescript
+     * const newTokens = await oauth.refreshAccessToken(refreshToken);
+     * ```
+     */
+    async refreshAccessToken(refreshToken) {
+        const data = {
+            grant_type: 'refresh_token',
+            refresh_token: refreshToken,
+            client_id: this.config.clientId,
+        };
+        if (this.config.clientSecret) {
+            data.client_secret = this.config.clientSecret;
+        }
+        const response = await this.client.post('/oauth/token', data);
+        return response.data;
+    }
+    /**
+     * Get user information from UserInfo endpoint (OIDC)
+     *
+     * @example
+     * ```typescript
+     * const userInfo = await oauth.getUserInfo(accessToken);
+     * console.log('User:', userInfo.name, userInfo.email);
+     * ```
+     */
+    async getUserInfo(accessToken) {
+        const response = await this.client.get('/oauth/userinfo', {
+            headers: {
+                Authorization: `Bearer ${accessToken}`,
+            },
+        });
+        return response.data;
+    }
+    /**
+     * Revoke access or refresh token
+     *
+     * @example
+     * ```typescript
+     * await oauth.revokeToken(accessToken, 'access_token');
+     * ```
+     */
+    async revokeToken(token, tokenTypeHint) {
+        const data = {
+            token,
+            client_id: this.config.clientId,
+        };
+        if (tokenTypeHint) {
+            data.token_type_hint = tokenTypeHint;
+        }
+        if (this.config.clientSecret) {
+            data.client_secret = this.config.clientSecret;
+        }
+        await this.client.post('/oauth/revoke', data);
+    }
+    /**
+     * Introspect token to check if it's valid
+     *
+     * @example
+     * ```typescript
+     * const result = await oauth.introspectToken(accessToken);
+     * if (result.active) {
+     *   console.log('Token is valid, expires at:', result.exp);
+     * }
+     * ```
+     */
+    async introspectToken(token) {
+        const data = {
+            token,
+            client_id: this.config.clientId,
+        };
+        if (this.config.clientSecret) {
+            data.client_secret = this.config.clientSecret;
+        }
+        const response = await this.client.post('/oauth/introspect', data);
+        return response.data;
+    }
+    /**
+     * Get OpenID Connect Discovery Document
+     *
+     * @example
+     * ```typescript
+     * const discovery = await oauth.getDiscoveryDocument();
+     * console.log('Issuer:', discovery.issuer);
+     * console.log('Authorization Endpoint:', discovery.authorization_endpoint);
+     * ```
+     */
+    async getDiscoveryDocument() {
+        const response = await this.client.get('/.well-known/openid-configuration');
+        return response.data;
+    }
+    /**
+     * Get JSON Web Key Set (JWKS) for token verification
+     *
+     * @example
+     * ```typescript
+     * const jwks = await oauth.getJWKS();
+     * // Use jwks to verify ID tokens
+     * ```
+     */
+    async getJWKS() {
+        const response = await this.client.get('/oauth/jwks');
+        return response.data;
+    }
+}
+exports.OAuthAPI = OAuthAPI;
+/**
+ * PKCE Helper Functions
+ */
+/**
+ * Generate random string for state/verifier
+ */
+function generateRandomString(length) {
+    const charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~';
+    const randomValues = new Uint8Array(length);
+    crypto.getRandomValues(randomValues);
+    return Array.from(randomValues)
+        .map((v) => charset[v % charset.length])
+        .join('');
+}
+/**
+ * Generate SHA-256 hash
+ */
+async function sha256(plain) {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(plain);
+    return crypto.subtle.digest('SHA-256', data);
+}
+/**
+ * Base64 URL encode
+ */
+function base64UrlEncode(buffer) {
+    const bytes = new Uint8Array(buffer);
+    let binary = '';
+    for (let i = 0; i < bytes.length; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+/**
+ * Generate PKCE code verifier and challenge
+ *
+ * @example
+ * ```typescript
+ * const pkce = await generatePKCE();
+ * // Store pkce.codeVerifier in sessionStorage
+ * // Use pkce.codeChallenge in authorization URL
+ * ```
+ */
+async function generatePKCE() {
+    const codeVerifier = generateRandomString(128);
+    const hashed = await sha256(codeVerifier);
+    const codeChallenge = base64UrlEncode(hashed);
+    return {
+        codeVerifier,
+        codeChallenge,
+        codeChallengeMethod: 'S256',
+    };
+}
+exports.generatePKCE = generatePKCE;
+/**
+ * Generate random state parameter
+ *
+ * @example
+ * ```typescript
+ * const state = generateState();
+ * // Store in sessionStorage for CSRF protection
+ * ```
+ */
+function generateState() {
+    return generateRandomString(32);
+}
+exports.generateState = generateState;

package/dist/client/api/system-config.api.d.ts

@@ -1,5 +1,5 @@
 import { AuthClient } from '../auth-client';
-import { SystemConfigResponseDto, SystemConfigSearchParams, SystemConfigCategoryResponse } from '../../types';
+import { SystemConfig, SystemConfigByCategory } from '../../types';
 /**
  * System Config API
  * Methods for retrieving system configurations
@@ -8,30 +8,20 @@ import { SystemConfigResponseDto, SystemConfigSearchParams, SystemConfigCategory
 export declare class SystemConfigAPI {
     private client;
     constructor(client: AuthClient);
-    /**
-     * GET /system-configs
-     * ดึงรายการ system configs (with pagination)
-     */
-    search(params?: SystemConfigSearchParams): Promise<{
-        data: SystemConfigResponseDto[];
-        total: number;
-        page: number;
-        page_size: number;
-    }>;
     /**
      * GET /system-configs/categories/:category
      * ดึง configs ตาม category - ส่ง object ที่รวมทุก key เป็น { key1: value1, key2: value2 }
      */
-    getByCategory(category: string): Promise<SystemConfigCategoryResponse>;
+    getByCategory(category: string): Promise<SystemConfigByCategory>;
     /**
      * GET /system-configs/categories/:category/:key
      * ดึง config ตาม category และ key - ส่ง full metadata row
      */
-    getByCategoryAndKey(category: string, key: string): Promise<SystemConfigResponseDto>;
+    getByCategoryAndKey(category: string, key: string): Promise<SystemConfig>;
     /**
      * GET /system-configs/categories/security
      * ดึง security configs ทั้งหมด (convenience method)
      */
-    security(): Promise<SystemConfigCategoryResponse>;
+    security(): Promise<SystemConfigByCategory>;
 }
 //# sourceMappingURL=system-config.api.d.ts.map

package/dist/client/api/system-config.api.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"system-config.api.d.ts","sourceRoot":"","sources":["../../../src/client/api/system-config.api.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAC5C,OAAO,EAAE,uBAAuB,EAAE,wBAAwB,EAAE,4BAA4B,EAAE,MAAM,aAAa,CAAC;AAE9G;;;;GAIG;AACH,qBAAa,eAAe;IACd,OAAO,CAAC,MAAM;gBAAN,MAAM,EAAE,UAAU;IAEtC;;;OAGG;IACG,MAAM,CAAC,MAAM,CAAC,EAAE,wBAAwB,GAAG,OAAO,CAAC;QACvD,IAAI,EAAE,uBAAuB,EAAE,CAAC;QAChC,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;IAKF;;;OAGG;IACG,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,4BAA4B,CAAC;IAK5E;;;OAGG;IACG,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAK1F;;;OAGG;IACG,QAAQ,IAAI,OAAO,CAAC,4BAA4B,CAAC;CAGxD"}
+{"version":3,"file":"system-config.api.d.ts","sourceRoot":"","sources":["../../../src/client/api/system-config.api.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAEnE;;;;GAIG;AACH,qBAAa,eAAe;IACd,OAAO,CAAC,MAAM;gBAAN,MAAM,EAAE,UAAU;IAEtC;;;OAGG;IACG,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAKtE;;;OAGG;IACG,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAK/E;;;OAGG;IACG,QAAQ,IAAI,OAAO,CAAC,sBAAsB,CAAC;CAGlD"}

package/dist/client/api/system-config.api.js

@@ -10,14 +10,6 @@ class SystemConfigAPI {
     constructor(client) {
         this.client = client;
     }
-    /**
-     * GET /system-configs
-     * ดึงรายการ system configs (with pagination)
-     */
-    async search(params) {
-        const response = await this.client.get('/system-configs', { params });
-        return response.data;
-    }
     /**
      * GET /system-configs/categories/:category
      * ดึง configs ตาม category - ส่ง object ที่รวมทุก key เป็น { key1: value1, key2: value2 }

package/dist/client/auth-client.d.ts

@@ -7,7 +7,7 @@
  */
 import { AxiosInstance, AxiosRequestConfig, AxiosResponse } from 'axios';
 import { AuthSdkConfig } from '../types';
-import { AuthAPI, HealthAPI, SystemConfigAPI, FilesAPI, EventLogApi } from './api';
+import { AuthAPI, HealthAPI, SystemConfigAPI, FilesAPI, EventLogApi, OAuthAPI, OAuthConfig, LineAPI } from './api';
 export declare class AuthClient {
     private client;
     private apiKey;
@@ -18,7 +18,22 @@ export declare class AuthClient {
     readonly systemConfig: SystemConfigAPI;
     readonly files: FilesAPI;
     readonly eventLog: EventLogApi;
+    readonly line: LineAPI;
+    oauth?: OAuthAPI;
     constructor(config: AuthSdkConfig);
+    /**
+     * Initialize OAuth client for OAuth 2.0 flows
+     *
+     * @example
+     * ```typescript
+     * authClient.initializeOAuth({
+     *   clientId: 'your-client-id',
+     *   redirectUri: 'https://yourapp.com/callback',
+     *   scope: 'openid profile email'
+     * });
+     * ```
+     */
+    initializeOAuth(config: OAuthConfig): void;
     /**
      * GET request
      */

package/dist/client/auth-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-client.d.ts","sourceRoot":"","sources":["../../src/client/auth-client.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAc,EAAE,aAAa,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AAChF,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,OAAO,CAAC;AAEnF,qBAAa,UAAU;IACrB,OAAO,CAAC,MAAM,CAAgB;IAC9B,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,KAAK,CAAuB;IAGpC,SAAgB,IAAI,EAAE,OAAO,CAAC;IAC9B,SAAgB,MAAM,EAAE,SAAS,CAAC;IAClC,SAAgB,YAAY,EAAE,eAAe,CAAC;IAC9C,SAAgB,KAAK,EAAE,QAAQ,CAAC;IAChC,SAAgB,QAAQ,EAAE,WAAW,CAAC;gBAE1B,MAAM,EAAE,aAAa;IAmDjC;;OAEG;IACG,GAAG,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAIvF;;OAEG;IACG,IAAI,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAIpG;;OAEG;IACG,GAAG,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAInG;;OAEG;IACG,KAAK,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAIrG;;OAEG;IACG,MAAM,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAI1F;;OAEG;IACH,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAI/B;;OAEG;IACH,eAAe,IAAI,MAAM;IAMzB;;OAEG;IACH,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAI7B;;OAEG;IACH,cAAc,IAAI,MAAM;IAOxB;;OAEG;IACH,UAAU,IAAI,IAAI;IAIlB;;OAEG;IACH,gBAAgB,IAAI,aAAa;CAGlC"}
+{"version":3,"file":"auth-client.d.ts","sourceRoot":"","sources":["../../src/client/auth-client.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAc,EAAE,aAAa,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AAChF,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,OAAO,CAAC;AAEnH,qBAAa,UAAU;IACrB,OAAO,CAAC,MAAM,CAAgB;IAC9B,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,KAAK,CAAuB;IAGpC,SAAgB,IAAI,EAAE,OAAO,CAAC;IAC9B,SAAgB,MAAM,EAAE,SAAS,CAAC;IAClC,SAAgB,YAAY,EAAE,eAAe,CAAC;IAC9C,SAAgB,KAAK,EAAE,QAAQ,CAAC;IAChC,SAAgB,QAAQ,EAAE,WAAW,CAAC;IACtC,SAAgB,IAAI,EAAE,OAAO,CAAC;IACvB,KAAK,CAAC,EAAE,QAAQ,CAAC;gBAEZ,MAAM,EAAE,aAAa;IAoDjC;;;;;;;;;;;OAWG;IACH,eAAe,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI;IAI1C;;OAEG;IACG,GAAG,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAIvF;;OAEG;IACG,IAAI,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAIpG;;OAEG;IACG,GAAG,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAInG;;OAEG;IACG,KAAK,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAIrG;;OAEG;IACG,MAAM,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAI1F;;OAEG;IACH,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAI/B;;OAEG;IACH,eAAe,IAAI,MAAM;IAMzB;;OAEG;IACH,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAI7B;;OAEG;IACH,cAAc,IAAI,MAAM;IAOxB;;OAEG;IACH,UAAU,IAAI,IAAI;IAIlB;;OAEG;IACH,gBAAgB,IAAI,aAAa;CAGlC"}

package/dist/client/auth-client.js

@@ -54,6 +54,22 @@ class AuthClient {
         this.systemConfig = new api_1.SystemConfigAPI(this);
         this.files = new api_1.FilesAPI(this);
         this.eventLog = new api_1.EventLogApi(this);
+        this.line = new api_1.LineAPI(this);
+    }
+    /**
+     * Initialize OAuth client for OAuth 2.0 flows
+     *
+     * @example
+     * ```typescript
+     * authClient.initializeOAuth({
+     *   clientId: 'your-client-id',
+     *   redirectUri: 'https://yourapp.com/callback',
+     *   scope: 'openid profile email'
+     * });
+     * ```
+     */
+    initializeOAuth(config) {
+        this.oauth = new api_1.OAuthAPI(this, config);
     }
     /**
      * GET request

package/dist/index.d.ts

@@ -6,4 +6,5 @@
  */
 export * from './types';
 export * from './client';
+export * from './middleware';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,cAAc,SAAS,CAAC;AAGxB,cAAc,UAAU,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,cAAc,SAAS,CAAC;AAGxB,cAAc,UAAU,CAAC;AAGzB,cAAc,cAAc,CAAC"}

package/dist/index.js

@@ -24,3 +24,5 @@ Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./types"), exports);
 // Client (Frontend & Backend)
 __exportStar(require("./client"), exports);
+// Middleware (Backend only - Express & NestJS)
+__exportStar(require("./middleware"), exports);

package/dist/middleware/express.middleware.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Express Middleware for Win Portal Auth
+ *
+ * Simple middleware that injects user profile into req.user
+ */
+import { User } from '../types';
+import { MiddlewareConfig, AuthContext } from './types';
+import './express.types';
+/**
+ * Create Express/NestJS middleware
+ *
+ * @example
+ * ```typescript
+ * import { authMiddleware } from 'win-portal-auth-sdk';
+ *
+ * // Express
+ * app.use(authMiddleware({
+ *   baseURL: 'https://api.example.com',
+ *   apiKey: 'your-api-key'
+ * }));
+ *
+ * // In routes
+ * app.get('/profile', (req, res) => {
+ *   const user = req.user; // User
+ *   const token = req.token;
+ * });
+ * ```
+ */
+export declare function authMiddleware(config: MiddlewareConfig): (req: any, res: any, next: any) => Promise<any>;
+/**
+ * Get Auth from Request
+ *
+ * @example
+ * ```typescript
+ * const { user, token } = getAuth(req);
+ * if (user) {
+ *   console.log(user.email, user.permissions);
+ * }
+ * ```
+ */
+export declare function getAuth(req: any): AuthContext;
+/**
+ * Require Auth - throws if not authenticated
+ *
+ * @example
+ * ```typescript
+ * app.get('/protected', (req, res) => {
+ *   const { user } = requireAuth(req);
+ *   // user is guaranteed to be non-null
+ *   res.json({ email: user.email });
+ * });
+ * ```
+ */
+export declare function requireAuth(req: any): {
+    user: User;
+    token: string;
+};
+/**
+ * Clear user cache (useful for testing or manual cache invalidation)
+ */
+export declare function clearAuthCache(token?: string): void;
+//# sourceMappingURL=express.middleware.d.ts.map

package/dist/middleware/express.middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"express.middleware.d.ts","sourceRoot":"","sources":["../../src/middleware/express.middleware.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAChC,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAGxD,OAAO,iBAAiB,CAAC;AAUzB;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,gBAAgB,SAYlC,GAAG,OAAO,GAAG,QAAQ,GAAG,kBAoG5C;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,OAAO,CAAC,GAAG,EAAE,GAAG,GAAG,WAAW,CAK7C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,GAAG,GAAG;IACrC,IAAI,EAAE,IAAI,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;CACf,CASA;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,CAAC,EAAE,MAAM,QAM5C"}

package/dist/middleware/express.middleware.js

@@ -0,0 +1,185 @@
+"use strict";
+/**
+ * Express Middleware for Win Portal Auth
+ *
+ * Simple middleware that injects user profile into req.user
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.clearAuthCache = exports.requireAuth = exports.getAuth = exports.authMiddleware = void 0;
+const client_1 = require("../client");
+// Import Express type augmentation
+require("./express.types");
+const userCache = new Map();
+/**
+ * Create Express/NestJS middleware
+ *
+ * @example
+ * ```typescript
+ * import { authMiddleware } from 'win-portal-auth-sdk';
+ *
+ * // Express
+ * app.use(authMiddleware({
+ *   baseURL: 'https://api.example.com',
+ *   apiKey: 'your-api-key'
+ * }));
+ *
+ * // In routes
+ * app.get('/profile', (req, res) => {
+ *   const user = req.user; // User
+ *   const token = req.token;
+ * });
+ * ```
+ */
+function authMiddleware(config) {
+    const client = new client_1.AuthClient({
+        baseURL: config.baseURL,
+        apiKey: config.apiKey,
+        apiKeyHeader: config.apiKeyHeader,
+    });
+    const cacheTimeout = (config.cacheTimeout || 300) * 1000; // Convert to ms
+    const tokenStrategy = config.tokenStrategy || 'bearer';
+    const cookieName = config.cookieName || 'access_token';
+    const excludePaths = config.excludePaths || [];
+    return async (req, res, next) => {
+        // No type assertion needed - req already has user/token from Express.Request augmentation
+        // Check if path is excluded
+        const shouldSkip = excludePaths.some((pattern) => {
+            if (typeof pattern === 'string') {
+                return req.path === pattern;
+            }
+            return pattern.test(req.path);
+        });
+        if (shouldSkip) {
+            req.user = null;
+            req.token = null;
+            return next();
+        }
+        // Extract token
+        let token = null;
+        if (config.tokenExtractor) {
+            token = config.tokenExtractor(req);
+        }
+        else if (tokenStrategy === 'bearer') {
+            const authHeader = req.headers.authorization;
+            if (authHeader && authHeader.startsWith('Bearer ')) {
+                token = authHeader.substring(7);
+            }
+        }
+        else if (tokenStrategy === 'cookie') {
+            token = req.cookies?.[cookieName] || null;
+        }
+        // No token found
+        if (!token) {
+            if (config.optional) {
+                req.user = null;
+                req.token = null;
+                return next();
+            }
+            return res.status(401).json({
+                statusCode: 401,
+                message: 'Authentication required',
+                error: 'Unauthorized',
+            });
+        }
+        try {
+            // Check cache first
+            const cached = userCache.get(token);
+            if (cached && Date.now() - cached.timestamp < cacheTimeout) {
+                req.user = cached.user;
+                req.token = token;
+                return next();
+            }
+            // Fetch user profile from API
+            client.setToken(token);
+            const user = await client.auth.profile();
+            // Update cache
+            userCache.set(token, {
+                user,
+                timestamp: Date.now(),
+            });
+            // Clean up old cache entries (simple cleanup)
+            if (userCache.size > 1000) {
+                const now = Date.now();
+                const entries = Array.from(userCache.entries());
+                for (const [key, entry] of entries) {
+                    if (now - entry.timestamp > cacheTimeout) {
+                        userCache.delete(key);
+                    }
+                }
+            }
+            // Attach user to request
+            req.user = user;
+            req.token = token;
+            next();
+        }
+        catch (error) {
+            // Clear cache on error
+            userCache.delete(token);
+            if (config.optional) {
+                req.user = null;
+                req.token = null;
+                return next();
+            }
+            const status = error.response?.status || 401;
+            const message = error.response?.data?.message || 'Authentication failed';
+            return res.status(status).json({
+                statusCode: status,
+                message,
+                error: 'Unauthorized',
+            });
+        }
+    };
+}
+exports.authMiddleware = authMiddleware;
+/**
+ * Get Auth from Request
+ *
+ * @example
+ * ```typescript
+ * const { user, token } = getAuth(req);
+ * if (user) {
+ *   console.log(user.email, user.permissions);
+ * }
+ * ```
+ */
+function getAuth(req) {
+    return {
+        user: req.user || null,
+        token: req.token || null,
+    };
+}
+exports.getAuth = getAuth;
+/**
+ * Require Auth - throws if not authenticated
+ *
+ * @example
+ * ```typescript
+ * app.get('/protected', (req, res) => {
+ *   const { user } = requireAuth(req);
+ *   // user is guaranteed to be non-null
+ *   res.json({ email: user.email });
+ * });
+ * ```
+ */
+function requireAuth(req) {
+    if (!req.user || !req.token) {
+        throw new Error('Authentication required');
+    }
+    return {
+        user: req.user,
+        token: req.token,
+    };
+}
+exports.requireAuth = requireAuth;
+/**
+ * Clear user cache (useful for testing or manual cache invalidation)
+ */
+function clearAuthCache(token) {
+    if (token) {
+        userCache.delete(token);
+    }
+    else {
+        userCache.clear();
+    }
+}
+exports.clearAuthCache = clearAuthCache;

package/dist/middleware/express.types.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Express Type Extensions
+ *
+ * Extends Express Request interface to include auth properties
+ */
+import { User } from '../types';
+declare global {
+    namespace Express {
+        interface Request {
+            /**
+             * Authenticated user profile
+             * - Set by authMiddleware when token is valid
+             * - null when optional=true and no token provided
+             * - undefined when middleware not applied to route
+             */
+            user?: User | null;
+            /**
+             * Access token used for authentication
+             * - Extracted from Authorization header or cookie
+             * - null when optional=true and no token provided
+             * - undefined when middleware not applied to route
+             */
+            token?: string | null;
+        }
+    }
+}
+export {};
+//# sourceMappingURL=express.types.d.ts.map

package/dist/middleware/express.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"express.types.d.ts","sourceRoot":"","sources":["../../src/middleware/express.types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAEhC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf;;;;;eAKG;YACH,IAAI,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;YAEnB;;;;;eAKG;YACH,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;SACvB;KACF;CACF;AAGD,OAAO,EAAE,CAAC"}