2026-01-06 15:33:03 +00:00
|
|
|
// API Client for Gatehouse Backend
|
2026-01-07 14:29:40 +00:00
|
|
|
// Uses Bearer token authentication
|
2026-01-06 15:33:03 +00:00
|
|
|
|
2026-01-06 15:42:41 +00:00
|
|
|
import { config } from '@/config';
|
2026-01-06 15:33:03 +00:00
|
|
|
|
|
|
|
|
interface ApiResponse<T = unknown> {
|
|
|
|
|
version: string;
|
|
|
|
|
success: boolean;
|
|
|
|
|
code: number;
|
|
|
|
|
message: string;
|
|
|
|
|
data?: T;
|
|
|
|
|
error?: {
|
|
|
|
|
type: string;
|
|
|
|
|
details: Record<string, unknown>;
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface User {
|
|
|
|
|
id: string;
|
|
|
|
|
email: string;
|
2026-01-06 16:06:53 +00:00
|
|
|
email_verified: boolean;
|
2026-01-06 15:33:03 +00:00
|
|
|
full_name: string | null;
|
|
|
|
|
avatar_url: string | null;
|
2026-01-06 16:06:53 +00:00
|
|
|
status: string;
|
|
|
|
|
last_login_at: string | null;
|
|
|
|
|
created_at: string;
|
|
|
|
|
updated_at: string;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface Organization {
|
|
|
|
|
id: string;
|
|
|
|
|
name: string;
|
|
|
|
|
slug: string;
|
|
|
|
|
description: string | null;
|
|
|
|
|
logo_url: string | null;
|
2026-01-06 15:33:03 +00:00
|
|
|
is_active: boolean;
|
2026-01-06 16:06:53 +00:00
|
|
|
role: string;
|
2026-01-06 15:33:03 +00:00
|
|
|
created_at: string;
|
|
|
|
|
updated_at: string;
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-06 16:06:53 +00:00
|
|
|
export interface OrganizationsResponse {
|
|
|
|
|
organizations: Organization[];
|
|
|
|
|
count: number;
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-16 17:31:25 +10:30
|
|
|
export interface MfaComplianceOrgSummary {
|
|
|
|
|
organization_id: string;
|
|
|
|
|
organization_name: string;
|
|
|
|
|
status: string;
|
|
|
|
|
deadline_at: string | null;
|
|
|
|
|
effective_mode: string;
|
|
|
|
|
applied_at: string;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface MfaComplianceSummary {
|
|
|
|
|
overall_status: string;
|
|
|
|
|
missing_methods: string[];
|
|
|
|
|
deadline_at: string | null;
|
|
|
|
|
orgs: MfaComplianceOrgSummary[];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Check if MFA is required for the user based on their compliance status.
|
|
|
|
|
* This checks if any organization has an effective_mode that starts with "require_",
|
|
|
|
|
* which handles require_webauthn, require_totp, or any future MFA methods.
|
|
|
|
|
*/
|
|
|
|
|
export function isMfaRequired(compliance: MfaComplianceSummary | null): boolean {
|
|
|
|
|
if (!compliance || !compliance.orgs) return false;
|
|
|
|
|
return compliance.orgs.some(
|
|
|
|
|
org => org.effective_mode && org.effective_mode.startsWith('require_')
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-06 15:33:03 +00:00
|
|
|
export interface LoginResponse {
|
2026-01-14 07:21:55 +00:00
|
|
|
user?: User;
|
|
|
|
|
token?: string;
|
|
|
|
|
expires_at?: string;
|
2026-01-12 06:28:36 +00:00
|
|
|
requires_totp?: boolean;
|
2026-01-16 17:50:56 +10:30
|
|
|
requires_webauthn?: boolean;
|
2026-01-16 17:31:25 +10:30
|
|
|
requires_mfa_enrollment?: boolean;
|
|
|
|
|
mfa_compliance?: MfaComplianceSummary;
|
2026-01-12 06:28:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface TotpEnrollResponse {
|
|
|
|
|
secret: string;
|
|
|
|
|
provisioning_uri: string;
|
|
|
|
|
qr_code: string; // base64 PNG
|
|
|
|
|
backup_codes: string[];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface TotpStatusResponse {
|
|
|
|
|
totp_enabled: boolean;
|
|
|
|
|
verified_at: string | null;
|
|
|
|
|
backup_codes_remaining: number;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface TotpVerifyResponse {
|
|
|
|
|
user: User;
|
|
|
|
|
token: string;
|
|
|
|
|
expires_at: string;
|
2026-01-06 15:33:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface ProfileResponse {
|
|
|
|
|
user: User;
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-14 15:32:30 +00:00
|
|
|
// WebAuthn types
|
|
|
|
|
export interface PasskeyCredential {
|
|
|
|
|
id: string;
|
|
|
|
|
name: string;
|
|
|
|
|
transports: string[];
|
|
|
|
|
device_type: string;
|
|
|
|
|
created_at: string;
|
|
|
|
|
last_used_at: string | null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface WebAuthnStatusResponse {
|
|
|
|
|
webauthn_enabled: boolean;
|
|
|
|
|
credential_count: number;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface WebAuthnCredentialsResponse {
|
|
|
|
|
credentials: PasskeyCredential[];
|
|
|
|
|
count: number;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface WebAuthnLoginCompleteResponse {
|
|
|
|
|
user: User;
|
|
|
|
|
token: string;
|
|
|
|
|
expires_at: string;
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-21 03:09:38 +10:30
|
|
|
// External Auth Types
|
2026-02-26 23:38:45 +05:45
|
|
|
export type ExternalProviderId = 'google' | 'github' | 'microsoft';
|
|
|
|
|
|
2026-01-20 15:54:11 +10:30
|
|
|
export interface ExternalProvider {
|
2026-01-21 03:09:38 +10:30
|
|
|
id: string;
|
2026-01-20 15:54:11 +10:30
|
|
|
name: string;
|
2026-01-21 03:09:38 +10:30
|
|
|
type: string;
|
|
|
|
|
is_configured: boolean;
|
2026-01-20 15:54:11 +10:30
|
|
|
is_active: boolean;
|
2026-01-21 03:09:38 +10:30
|
|
|
settings: {
|
|
|
|
|
requires_domain: boolean;
|
|
|
|
|
supports_refresh_tokens: boolean;
|
|
|
|
|
};
|
2026-01-20 15:54:11 +10:30
|
|
|
}
|
|
|
|
|
|
2026-01-21 03:09:38 +10:30
|
|
|
export interface ExternalProvidersResponse {
|
|
|
|
|
providers: ExternalProvider[];
|
2026-01-20 15:54:11 +10:30
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface LinkedAccount {
|
|
|
|
|
id: string;
|
2026-01-21 03:09:38 +10:30
|
|
|
provider_type: string;
|
|
|
|
|
provider_user_id: string;
|
|
|
|
|
email: string | null;
|
|
|
|
|
name: string | null;
|
|
|
|
|
picture: string | null;
|
|
|
|
|
verified: boolean;
|
|
|
|
|
linked_at: string | null;
|
|
|
|
|
last_used_at: string | null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface LinkedAccountsResponse {
|
|
|
|
|
linked_accounts: LinkedAccount[];
|
|
|
|
|
unlink_available: boolean;
|
2026-01-20 15:54:11 +10:30
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface OAuthAuthorizeResponse {
|
|
|
|
|
authorization_url: string;
|
|
|
|
|
state: string;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface OAuthCallbackResponse {
|
2026-01-21 03:09:38 +10:30
|
|
|
token: string;
|
|
|
|
|
expires_in: number;
|
|
|
|
|
token_type: string;
|
|
|
|
|
user: User;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface LinkAccountResponse {
|
|
|
|
|
linked_account: LinkedAccount;
|
2026-01-20 15:54:11 +10:30
|
|
|
}
|
|
|
|
|
|
2026-01-06 15:33:03 +00:00
|
|
|
class ApiError extends Error {
|
|
|
|
|
code: number;
|
|
|
|
|
type: string;
|
|
|
|
|
details: Record<string, unknown>;
|
|
|
|
|
|
|
|
|
|
constructor(message: string, code: number, type: string, details: Record<string, unknown> = {}) {
|
|
|
|
|
super(message);
|
|
|
|
|
this.name = 'ApiError';
|
|
|
|
|
this.code = code;
|
|
|
|
|
this.type = type;
|
|
|
|
|
this.details = details;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-07 14:29:40 +00:00
|
|
|
// Token storage keys
|
|
|
|
|
const TOKEN_KEY = 'gatehouse_token';
|
|
|
|
|
const TOKEN_EXPIRY_KEY = 'gatehouse_token_expiry';
|
|
|
|
|
|
|
|
|
|
// Token management
|
|
|
|
|
export const tokenManager = {
|
|
|
|
|
getToken: (): string | null => {
|
|
|
|
|
const token = localStorage.getItem(TOKEN_KEY);
|
|
|
|
|
const expiry = localStorage.getItem(TOKEN_EXPIRY_KEY);
|
|
|
|
|
|
|
|
|
|
// Check if token is expired
|
|
|
|
|
if (token && expiry) {
|
|
|
|
|
const expiryDate = new Date(expiry);
|
|
|
|
|
if (expiryDate <= new Date()) {
|
|
|
|
|
tokenManager.clearToken();
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return token;
|
|
|
|
|
},
|
|
|
|
|
|
2026-01-15 23:15:04 +00:00
|
|
|
setToken: (token: string, expiresAt?: string | null): void => {
|
2026-01-07 14:29:40 +00:00
|
|
|
localStorage.setItem(TOKEN_KEY, token);
|
2026-01-15 23:15:04 +00:00
|
|
|
if (expiresAt) {
|
|
|
|
|
localStorage.setItem(TOKEN_EXPIRY_KEY, expiresAt);
|
|
|
|
|
} else {
|
|
|
|
|
localStorage.removeItem(TOKEN_EXPIRY_KEY);
|
|
|
|
|
}
|
2026-01-07 14:29:40 +00:00
|
|
|
},
|
|
|
|
|
|
|
|
|
|
clearToken: (): void => {
|
|
|
|
|
localStorage.removeItem(TOKEN_KEY);
|
|
|
|
|
localStorage.removeItem(TOKEN_EXPIRY_KEY);
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
hasValidToken: (): boolean => {
|
2026-02-27 21:08:16 +05:45
|
|
|
return tokenManager.getToken() !== null;
|
2026-01-07 14:29:40 +00:00
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
2026-01-14 02:10:23 +00:00
|
|
|
// Error types that indicate the session/token is truly invalid
|
|
|
|
|
const SESSION_INVALID_ERROR_TYPES = [
|
|
|
|
|
'INVALID_TOKEN',
|
|
|
|
|
'TOKEN_EXPIRED',
|
|
|
|
|
'SESSION_EXPIRED',
|
|
|
|
|
'AUTH_ERROR',
|
|
|
|
|
'UNAUTHORIZED',
|
|
|
|
|
];
|
|
|
|
|
|
2026-01-16 17:31:25 +10:30
|
|
|
export const AUTHORIZATION_ERROR_TYPES = ['AUTHORIZATION_ERROR'] as const;
|
|
|
|
|
|
2026-01-14 02:10:23 +00:00
|
|
|
interface RequestConfig {
|
|
|
|
|
// Controls token clearing on 401:
|
|
|
|
|
// - 'auto' (default): Clear only if error type indicates invalid session
|
|
|
|
|
// - true: Always clear token on 401
|
|
|
|
|
// - false: Never clear token on 401
|
|
|
|
|
clearTokenOn401?: boolean | 'auto';
|
2026-01-16 17:31:25 +10:30
|
|
|
// Optional callback for handling 403 authorization errors
|
|
|
|
|
on403?: (error: ApiError) => void;
|
2026-01-14 02:10:23 +00:00
|
|
|
}
|
|
|
|
|
|
2026-01-07 14:29:40 +00:00
|
|
|
// Central request function - all API calls go through here
|
2026-01-06 15:33:03 +00:00
|
|
|
async function request<T>(
|
|
|
|
|
endpoint: string,
|
2026-01-07 14:29:40 +00:00
|
|
|
options: RequestInit = {},
|
2026-01-14 02:10:23 +00:00
|
|
|
requiresAuth = true,
|
|
|
|
|
requestConfig: RequestConfig = {}
|
2026-01-06 15:33:03 +00:00
|
|
|
): Promise<T> {
|
2026-01-16 17:31:25 +10:30
|
|
|
const { clearTokenOn401 = 'auto', on403 } = requestConfig;
|
2026-01-14 02:10:23 +00:00
|
|
|
|
2026-01-07 14:29:40 +00:00
|
|
|
const headers: Record<string, string> = {
|
|
|
|
|
'Content-Type': 'application/json',
|
2026-01-12 01:24:59 +00:00
|
|
|
'Cache-Control': 'no-cache, no-store, must-revalidate',
|
|
|
|
|
'Pragma': 'no-cache',
|
2026-01-07 14:29:40 +00:00
|
|
|
...(options.headers as Record<string, string>),
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Add Authorization header if we have a token and auth is required
|
|
|
|
|
if (requiresAuth) {
|
|
|
|
|
const token = tokenManager.getToken();
|
|
|
|
|
if (token) {
|
|
|
|
|
headers['Authorization'] = `Bearer ${token}`;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-06 15:42:41 +00:00
|
|
|
const response = await fetch(`${config.api.baseUrl}${endpoint}`, {
|
2026-01-06 15:33:03 +00:00
|
|
|
...options,
|
2026-01-07 14:29:40 +00:00
|
|
|
headers,
|
2026-01-15 22:46:27 +00:00
|
|
|
credentials: 'include', // Always include cookies for session consistency
|
2026-01-12 01:24:59 +00:00
|
|
|
cache: 'no-store',
|
2026-01-06 15:33:03 +00:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const json: ApiResponse<T> = await response.json();
|
|
|
|
|
|
|
|
|
|
if (!json.success) {
|
2026-01-14 02:10:23 +00:00
|
|
|
const errorType = json.error?.type || 'UNKNOWN_ERROR';
|
|
|
|
|
|
|
|
|
|
// Handle 401 token clearing based on configuration
|
2026-01-07 14:29:40 +00:00
|
|
|
if (json.code === 401) {
|
2026-01-14 02:10:23 +00:00
|
|
|
const shouldClearToken =
|
|
|
|
|
clearTokenOn401 === true ||
|
|
|
|
|
(clearTokenOn401 === 'auto' && SESSION_INVALID_ERROR_TYPES.includes(errorType));
|
|
|
|
|
|
|
|
|
|
if (shouldClearToken) {
|
|
|
|
|
tokenManager.clearToken();
|
|
|
|
|
if (import.meta.env.DEV) {
|
|
|
|
|
console.log(`[API] Token cleared on 401 (type: ${errorType}, endpoint: ${endpoint})`);
|
|
|
|
|
}
|
|
|
|
|
} else if (import.meta.env.DEV) {
|
|
|
|
|
console.log(`[API] 401 received but token preserved (type: ${errorType}, endpoint: ${endpoint})`);
|
|
|
|
|
}
|
2026-01-07 14:29:40 +00:00
|
|
|
}
|
2026-01-16 17:31:25 +10:30
|
|
|
|
|
|
|
|
// Handle 403 authorization errors
|
|
|
|
|
if (json.code === 403) {
|
|
|
|
|
const error = new ApiError(
|
|
|
|
|
json.message || 'Access denied',
|
|
|
|
|
json.code,
|
|
|
|
|
errorType,
|
|
|
|
|
json.error?.details || {}
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (on403) {
|
|
|
|
|
on403(error);
|
|
|
|
|
}
|
|
|
|
|
throw error;
|
|
|
|
|
}
|
2026-01-07 14:29:40 +00:00
|
|
|
|
2026-01-06 15:33:03 +00:00
|
|
|
throw new ApiError(
|
|
|
|
|
json.message || 'An error occurred',
|
|
|
|
|
json.code,
|
2026-01-14 02:10:23 +00:00
|
|
|
errorType,
|
2026-01-06 15:33:03 +00:00
|
|
|
json.error?.details || {}
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return json.data as T;
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-07 14:29:40 +00:00
|
|
|
// Centralized API client - all routes defined here
|
2026-01-06 15:33:03 +00:00
|
|
|
export const api = {
|
|
|
|
|
auth: {
|
2026-01-07 14:29:40 +00:00
|
|
|
login: async (email: string, password: string, remember_me = false): Promise<LoginResponse> => {
|
|
|
|
|
const response = await request<LoginResponse>('/auth/login', {
|
2026-01-06 15:33:03 +00:00
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ email, password, remember_me }),
|
2026-01-14 07:21:55 +00:00
|
|
|
credentials: 'include', // Required for TOTP session tracking
|
2026-01-07 14:29:40 +00:00
|
|
|
}, false); // Login doesn't require auth
|
|
|
|
|
|
2026-01-14 07:21:55 +00:00
|
|
|
// Only store token if login is complete (no TOTP required)
|
2026-01-15 23:15:04 +00:00
|
|
|
if (response.token && !response.requires_totp) {
|
|
|
|
|
tokenManager.setToken(response.token, response.expires_at ?? null);
|
2026-01-14 07:21:55 +00:00
|
|
|
}
|
2026-01-07 14:29:40 +00:00
|
|
|
|
|
|
|
|
return response;
|
|
|
|
|
},
|
2026-01-06 15:33:03 +00:00
|
|
|
|
2026-02-27 21:08:16 +05:45
|
|
|
register: async (email: string, password: string, full_name?: string): Promise<LoginResponse> => {
|
|
|
|
|
const response = await request<LoginResponse>('/auth/register', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ email, password, password_confirm: password, full_name }),
|
|
|
|
|
}, false);
|
|
|
|
|
|
|
|
|
|
if (response.token) {
|
|
|
|
|
tokenManager.setToken(response.token, response.expires_at ?? null);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return response;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
forgotPassword: (email: string): Promise<{ message: string }> =>
|
|
|
|
|
request<{ message: string }>('/auth/forgot-password', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ email }),
|
|
|
|
|
}, false),
|
|
|
|
|
|
|
|
|
|
resetPassword: (token: string, password: string): Promise<{ message: string }> =>
|
|
|
|
|
request<{ message: string }>('/auth/reset-password', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ token, password, password_confirm: password }),
|
|
|
|
|
}, false),
|
|
|
|
|
|
|
|
|
|
verifyEmail: (token: string): Promise<{ message: string }> =>
|
|
|
|
|
request<{ message: string }>('/auth/verify-email', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ token }),
|
|
|
|
|
}, false),
|
|
|
|
|
|
|
|
|
|
resendVerification: (email: string): Promise<{ message: string }> =>
|
|
|
|
|
request<{ message: string }>('/auth/resend-verification', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ email }),
|
|
|
|
|
}, false),
|
|
|
|
|
|
2026-01-07 14:29:40 +00:00
|
|
|
logout: async (): Promise<void> => {
|
|
|
|
|
try {
|
|
|
|
|
await request<void>('/auth/logout', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
});
|
|
|
|
|
} finally {
|
|
|
|
|
// Always clear token on logout
|
|
|
|
|
tokenManager.clearToken();
|
|
|
|
|
}
|
|
|
|
|
},
|
2026-01-06 15:33:03 +00:00
|
|
|
},
|
|
|
|
|
|
|
|
|
|
users: {
|
2026-01-14 02:10:23 +00:00
|
|
|
// me() is the canonical session validity check - always clear token on 401
|
|
|
|
|
me: () => request<ProfileResponse>('/users/me', {}, true, { clearTokenOn401: true }),
|
2026-01-06 15:33:03 +00:00
|
|
|
|
|
|
|
|
updateMe: (data: { full_name?: string; avatar_url?: string }) =>
|
|
|
|
|
request<ProfileResponse>('/users/me', {
|
|
|
|
|
method: 'PATCH',
|
|
|
|
|
body: JSON.stringify(data),
|
|
|
|
|
}),
|
2026-01-06 16:06:53 +00:00
|
|
|
|
2026-01-16 17:31:25 +10:30
|
|
|
organizations: (requestConfig?: RequestConfig) =>
|
|
|
|
|
request<OrganizationsResponse>('/users/me/organizations', {}, true, requestConfig),
|
2026-01-11 08:17:15 +00:00
|
|
|
|
2026-01-14 02:10:23 +00:00
|
|
|
// Password change can return 401 for wrong current password - don't clear token
|
2026-01-11 08:17:15 +00:00
|
|
|
changePassword: (currentPassword: string, newPassword: string, newPasswordConfirm: string) =>
|
|
|
|
|
request<{ message: string }>('/users/me/password', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({
|
|
|
|
|
current_password: currentPassword,
|
|
|
|
|
new_password: newPassword,
|
|
|
|
|
new_password_confirm: newPasswordConfirm,
|
|
|
|
|
}),
|
2026-01-14 02:10:23 +00:00
|
|
|
}, true, { clearTokenOn401: false }),
|
2026-02-27 21:08:16 +05:45
|
|
|
|
|
|
|
|
// Get audit logs for the currently authenticated user
|
|
|
|
|
auditLogs: (params?: Record<string, string>, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ audit_logs: AuditLogEntry[]; count: number; page: number; per_page: number; pages: number }>(
|
|
|
|
|
`/auth/audit-logs${params ? '?' + new URLSearchParams(params).toString() : ''}`,
|
|
|
|
|
{},
|
|
|
|
|
true,
|
|
|
|
|
requestConfig,
|
|
|
|
|
),
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
admin: {
|
|
|
|
|
// Get all system audit logs (admin view — returns all logs for org owners, own logs otherwise)
|
|
|
|
|
getAuditLogs: (params?: Record<string, string>, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ audit_logs: AuditLogEntry[]; count: number; page: number; per_page: number; pages: number; is_admin_view: boolean }>(
|
|
|
|
|
`/audit-logs${params ? '?' + new URLSearchParams(params).toString() : ''}`,
|
|
|
|
|
{},
|
|
|
|
|
true,
|
|
|
|
|
requestConfig,
|
|
|
|
|
),
|
2026-01-06 15:33:03 +00:00
|
|
|
},
|
2026-01-12 06:28:36 +00:00
|
|
|
|
|
|
|
|
totp: {
|
|
|
|
|
// Initiate TOTP enrollment - returns secret, QR code, and backup codes
|
|
|
|
|
enroll: () =>
|
|
|
|
|
request<TotpEnrollResponse>('/auth/totp/enroll', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
}),
|
|
|
|
|
|
2026-01-14 02:10:23 +00:00
|
|
|
// Verify TOTP enrollment - wrong code should not log user out
|
2026-01-12 06:28:36 +00:00
|
|
|
verifyEnrollment: (code: string) =>
|
|
|
|
|
request<{ message: string }>('/auth/totp/verify-enrollment', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ code }),
|
2026-01-14 02:10:23 +00:00
|
|
|
}, true, { clearTokenOn401: false }),
|
2026-01-12 06:28:36 +00:00
|
|
|
|
|
|
|
|
// Verify TOTP code during login (no auth required - uses session state)
|
2026-01-14 07:21:55 +00:00
|
|
|
verify: async (code: string, isBackupCode = false): Promise<TotpVerifyResponse> => {
|
|
|
|
|
const response = await request<TotpVerifyResponse>('/auth/totp/verify', {
|
2026-01-12 06:28:36 +00:00
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ code, is_backup_code: isBackupCode }),
|
2026-01-14 07:21:55 +00:00
|
|
|
credentials: 'include', // Required for TOTP session tracking
|
|
|
|
|
}, false);
|
|
|
|
|
|
2026-01-15 23:15:04 +00:00
|
|
|
if (response.token) {
|
|
|
|
|
tokenManager.setToken(response.token, response.expires_at ?? null);
|
2026-01-14 07:21:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return response;
|
|
|
|
|
},
|
2026-01-12 06:28:36 +00:00
|
|
|
|
2026-01-20 15:54:11 +10:30
|
|
|
// Verify TOTP code with an mfa_token (used after OAuth callback when MFA is required)
|
|
|
|
|
verifyWithMfaToken: async (code: string, mfaToken: string, isBackupCode = false): Promise<TotpVerifyResponse> => {
|
|
|
|
|
const response = await request<TotpVerifyResponse>('/auth/totp/verify', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ code, mfa_token: mfaToken, is_backup_code: isBackupCode }),
|
|
|
|
|
credentials: 'include',
|
|
|
|
|
}, false);
|
|
|
|
|
|
|
|
|
|
if (response.token) {
|
|
|
|
|
tokenManager.setToken(response.token, response.expires_at ?? null);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return response;
|
|
|
|
|
},
|
|
|
|
|
|
2026-01-12 06:28:36 +00:00
|
|
|
// Get TOTP status
|
|
|
|
|
status: () =>
|
|
|
|
|
request<TotpStatusResponse>('/auth/totp/status'),
|
|
|
|
|
|
2026-01-14 02:10:23 +00:00
|
|
|
// Disable TOTP - wrong password should not log user out
|
2026-01-12 06:28:36 +00:00
|
|
|
disable: (password: string) =>
|
|
|
|
|
request<{ message: string }>('/auth/totp/disable', {
|
|
|
|
|
method: 'DELETE',
|
|
|
|
|
body: JSON.stringify({ password }),
|
2026-01-14 02:10:23 +00:00
|
|
|
}, true, { clearTokenOn401: false }),
|
2026-01-12 06:28:36 +00:00
|
|
|
|
2026-01-14 02:10:23 +00:00
|
|
|
// Regenerate backup codes - wrong password should not log user out
|
2026-01-12 06:28:36 +00:00
|
|
|
regenerateBackupCodes: (password: string) =>
|
|
|
|
|
request<{ backup_codes: string[] }>('/auth/totp/regenerate-backup-codes', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ password }),
|
2026-01-14 02:10:23 +00:00
|
|
|
}, true, { clearTokenOn401: false }),
|
2026-01-12 06:28:36 +00:00
|
|
|
},
|
2026-01-14 15:32:30 +00:00
|
|
|
|
|
|
|
|
webauthn: {
|
|
|
|
|
// Get WebAuthn status
|
|
|
|
|
status: () =>
|
|
|
|
|
request<WebAuthnStatusResponse>('/auth/webauthn/status'),
|
|
|
|
|
|
|
|
|
|
// List all passkeys for current user
|
|
|
|
|
listCredentials: () =>
|
|
|
|
|
request<WebAuthnCredentialsResponse>('/auth/webauthn/credentials'),
|
|
|
|
|
|
|
|
|
|
// Begin passkey registration (returns raw WebAuthn options)
|
|
|
|
|
beginRegistration: async (): Promise<Record<string, unknown>> => {
|
|
|
|
|
const response = await fetch(`${config.api.baseUrl}/auth/webauthn/register/begin`, {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
headers: {
|
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
'Authorization': `Bearer ${tokenManager.getToken()}`,
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
if (!response.ok) {
|
|
|
|
|
const error = await response.json();
|
|
|
|
|
throw new ApiError(
|
|
|
|
|
error.message || 'Failed to begin registration',
|
|
|
|
|
error.code || response.status,
|
|
|
|
|
error.error?.type || 'WEBAUTHN_ERROR',
|
|
|
|
|
error.error?.details || {}
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
// Returns raw WebAuthn options (not wrapped in standard response)
|
|
|
|
|
return response.json();
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// Complete passkey registration
|
|
|
|
|
completeRegistration: (credential: Record<string, unknown>, name?: string) =>
|
|
|
|
|
request<{ message: string; credential_id: string }>('/auth/webauthn/register/complete', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ ...credential, name }),
|
|
|
|
|
}),
|
|
|
|
|
|
|
|
|
|
// Begin passkey login (returns raw WebAuthn options)
|
|
|
|
|
beginLogin: async (email: string): Promise<Record<string, unknown>> => {
|
|
|
|
|
const response = await fetch(`${config.api.baseUrl}/auth/webauthn/login/begin`, {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
headers: { 'Content-Type': 'application/json' },
|
2026-01-16 11:35:21 +10:30
|
|
|
credentials: 'include', // Required for session cookie
|
2026-01-14 15:32:30 +00:00
|
|
|
body: JSON.stringify({ email }),
|
|
|
|
|
});
|
|
|
|
|
if (!response.ok) {
|
|
|
|
|
const error = await response.json();
|
|
|
|
|
throw new ApiError(
|
|
|
|
|
error.message || 'No passkeys found for this account',
|
|
|
|
|
error.code || response.status,
|
|
|
|
|
error.error?.type || 'WEBAUTHN_ERROR',
|
|
|
|
|
error.error?.details || {}
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
// Returns raw WebAuthn options (not wrapped in standard response)
|
|
|
|
|
return response.json();
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// Complete passkey login
|
|
|
|
|
completeLogin: async (assertion: Record<string, unknown>): Promise<WebAuthnLoginCompleteResponse> => {
|
2026-01-16 11:35:21 +10:30
|
|
|
const response = await fetch(`${config.api.baseUrl}/auth/webauthn/login/complete`, {
|
2026-01-14 15:32:30 +00:00
|
|
|
method: 'POST',
|
2026-01-16 11:35:21 +10:30
|
|
|
headers: {
|
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
},
|
|
|
|
|
credentials: 'include', // Required for session cookie
|
2026-01-14 15:32:30 +00:00
|
|
|
body: JSON.stringify(assertion),
|
2026-01-16 11:35:21 +10:30
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const json: ApiResponse<WebAuthnLoginCompleteResponse> = await response.json();
|
|
|
|
|
|
|
|
|
|
if (!json.success) {
|
|
|
|
|
throw new ApiError(
|
|
|
|
|
json.message || 'Authentication failed',
|
|
|
|
|
json.code,
|
|
|
|
|
json.error?.type || 'AUTHENTICATION_ERROR',
|
|
|
|
|
json.error?.details || {}
|
|
|
|
|
);
|
|
|
|
|
}
|
2026-01-14 15:32:30 +00:00
|
|
|
|
|
|
|
|
// Store token after successful passkey login
|
2026-01-16 11:35:21 +10:30
|
|
|
if (json.data?.token) {
|
|
|
|
|
tokenManager.setToken(json.data.token, json.data.expires_at ?? null);
|
2026-01-14 15:32:30 +00:00
|
|
|
}
|
|
|
|
|
|
2026-01-16 11:35:21 +10:30
|
|
|
return json.data as WebAuthnLoginCompleteResponse;
|
2026-01-14 15:32:30 +00:00
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// Rename a passkey
|
|
|
|
|
renameCredential: (credentialId: string, name: string) =>
|
|
|
|
|
request<{ message: string }>(`/auth/webauthn/credentials/${credentialId}`, {
|
|
|
|
|
method: 'PATCH',
|
|
|
|
|
body: JSON.stringify({ name }),
|
|
|
|
|
}),
|
|
|
|
|
|
|
|
|
|
// Delete a passkey
|
|
|
|
|
deleteCredential: (credentialId: string) =>
|
|
|
|
|
request<{ message: string }>(`/auth/webauthn/credentials/${credentialId}`, {
|
|
|
|
|
method: 'DELETE',
|
|
|
|
|
}),
|
|
|
|
|
},
|
2026-01-16 17:31:25 +10:30
|
|
|
|
|
|
|
|
policies: {
|
|
|
|
|
// Get organization security policy
|
|
|
|
|
getOrgPolicy: (orgId: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<OrgPolicyResponse>(`/organizations/${orgId}/security-policy`, {}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Update organization security policy
|
|
|
|
|
updateOrgPolicy: (orgId: string, body: UpdateOrgPolicyDto, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<OrgPolicyResponse>(`/organizations/${orgId}/security-policy`, {
|
|
|
|
|
method: 'PUT',
|
|
|
|
|
body: JSON.stringify(body),
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// List organization compliance (paginated)
|
|
|
|
|
listOrgCompliance: (orgId: string, params: Record<string, string>, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<OrgCompliancePage>(
|
|
|
|
|
`/organizations/${orgId}/mfa-compliance?${new URLSearchParams(params)}`,
|
|
|
|
|
{},
|
|
|
|
|
true,
|
|
|
|
|
requestConfig
|
|
|
|
|
),
|
|
|
|
|
|
|
|
|
|
// Get current user's MFA compliance summary
|
|
|
|
|
getMyCompliance: () =>
|
|
|
|
|
request<MfaComplianceSummary>('/users/me/mfa-compliance'),
|
|
|
|
|
},
|
2026-01-20 15:54:11 +10:30
|
|
|
|
|
|
|
|
externalAuth: {
|
2026-01-21 03:09:38 +10:30
|
|
|
// List available providers
|
2026-01-20 15:54:11 +10:30
|
|
|
listProviders: () =>
|
2026-01-21 03:09:38 +10:30
|
|
|
request<ExternalProvidersResponse>('/auth/external/providers'),
|
2026-01-20 15:54:11 +10:30
|
|
|
|
2026-01-21 03:09:38 +10:30
|
|
|
// Get linked accounts for current user
|
2026-01-20 15:54:11 +10:30
|
|
|
listLinkedAccounts: () =>
|
|
|
|
|
request<LinkedAccountsResponse>('/auth/external/linked-accounts'),
|
|
|
|
|
|
2026-02-26 23:38:45 +05:45
|
|
|
// Initiate OAuth login flow — returns authorization_url to redirect the browser to
|
|
|
|
|
initiateLogin: (provider: string, options?: { redirect_uri?: string; organization_id?: string; flow?: string; oidc_session_id?: string }) => {
|
|
|
|
|
const params = new URLSearchParams({ flow: options?.flow ?? 'login' });
|
|
|
|
|
if (options?.redirect_uri) params.set('redirect_uri', options.redirect_uri);
|
|
|
|
|
if (options?.organization_id) params.set('organization_id', options.organization_id);
|
|
|
|
|
if (options?.oidc_session_id) params.set('oidc_session_id', options.oidc_session_id);
|
|
|
|
|
return request<OAuthAuthorizeResponse>(`/auth/external/${provider}/authorize?${params.toString()}`, {
|
2026-01-21 03:09:38 +10:30
|
|
|
method: 'GET',
|
2026-01-20 15:54:11 +10:30
|
|
|
credentials: 'include',
|
2026-02-26 23:38:45 +05:45
|
|
|
}, false);
|
|
|
|
|
},
|
2026-01-20 15:54:11 +10:30
|
|
|
|
2026-01-21 03:09:38 +10:30
|
|
|
// Initiate account linking flow (requires auth)
|
|
|
|
|
initiateLink: (provider: string, redirect_uri?: string) =>
|
2026-01-20 15:54:11 +10:30
|
|
|
request<OAuthAuthorizeResponse>(`/auth/external/${provider}/link`, {
|
|
|
|
|
method: 'POST',
|
2026-01-21 03:09:38 +10:30
|
|
|
body: JSON.stringify({ redirect_uri }),
|
2026-01-20 15:54:11 +10:30
|
|
|
credentials: 'include',
|
|
|
|
|
}),
|
|
|
|
|
|
2026-01-21 03:09:38 +10:30
|
|
|
// Unlink an external account
|
|
|
|
|
unlinkAccount: (provider: string) =>
|
|
|
|
|
request<{ message: string }>(`/auth/external/${provider}/unlink`, {
|
|
|
|
|
method: 'DELETE',
|
|
|
|
|
credentials: 'include',
|
|
|
|
|
}),
|
2026-01-20 15:54:11 +10:30
|
|
|
},
|
2026-02-27 21:08:16 +05:45
|
|
|
|
|
|
|
|
organizations: {
|
|
|
|
|
// Get organization by ID
|
|
|
|
|
getById: (orgId: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ organization: Organization; member_count: number }>(`/organizations/${orgId}`, {}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Get organization members
|
|
|
|
|
getMembers: (orgId: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ members: OrganizationMember[]; count: number }>(`/organizations/${orgId}/members`, {}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Add member to organization
|
|
|
|
|
addMember: (orgId: string, email: string, role: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ member: OrganizationMember }>(`/organizations/${orgId}/members`, {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ email, role }),
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Remove member from organization
|
|
|
|
|
removeMember: (orgId: string, userId: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ message: string }>(`/organizations/${orgId}/members/${userId}`, {
|
|
|
|
|
method: 'DELETE',
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Update member role
|
|
|
|
|
updateMemberRole: (orgId: string, userId: string, role: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ member: OrganizationMember }>(`/organizations/${orgId}/members/${userId}/role`, {
|
|
|
|
|
method: 'PATCH',
|
|
|
|
|
body: JSON.stringify({ role }),
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Get organization audit logs
|
|
|
|
|
getAuditLogs: (orgId: string, params?: Record<string, string>, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ audit_logs: AuditLogEntry[]; count: number }>(
|
|
|
|
|
`/organizations/${orgId}/audit-logs${params ? '?' + new URLSearchParams(params).toString() : ''}`,
|
|
|
|
|
{},
|
|
|
|
|
true,
|
|
|
|
|
requestConfig
|
|
|
|
|
),
|
|
|
|
|
|
|
|
|
|
// Get departments
|
|
|
|
|
getDepartments: (orgId: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ departments: Department[]; count: number }>(`/organizations/${orgId}/departments`, {}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Create department
|
|
|
|
|
createDepartment: (orgId: string, name: string, description?: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ department: Department }>(`/organizations/${orgId}/departments`, {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ name, description }),
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Update department
|
|
|
|
|
updateDepartment: (orgId: string, deptId: string, data: { name?: string; description?: string }, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ department: Department }>(`/organizations/${orgId}/departments/${deptId}`, {
|
|
|
|
|
method: 'PATCH',
|
|
|
|
|
body: JSON.stringify(data),
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Delete department
|
|
|
|
|
deleteDepartment: (orgId: string, deptId: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ message: string }>(`/organizations/${orgId}/departments/${deptId}`, {
|
|
|
|
|
method: 'DELETE',
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Get department members
|
|
|
|
|
getDepartmentMembers: (orgId: string, deptId: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ members: DepartmentMember[]; count: number }>(`/organizations/${orgId}/departments/${deptId}/members`, {}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Add member to department
|
|
|
|
|
addDepartmentMember: (orgId: string, deptId: string, email: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ member: DepartmentMember }>(`/organizations/${orgId}/departments/${deptId}/members`, {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ email }),
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Remove member from department
|
|
|
|
|
removeDepartmentMember: (orgId: string, deptId: string, userId: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ message: string }>(`/organizations/${orgId}/departments/${deptId}/members/${userId}`, {
|
|
|
|
|
method: 'DELETE',
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Get principals
|
|
|
|
|
getPrincipals: (orgId: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ principals: Principal[]; count: number }>(`/organizations/${orgId}/principals`, {}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Create principal
|
|
|
|
|
createPrincipal: (orgId: string, name: string, description?: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ principal: Principal }>(`/organizations/${orgId}/principals`, {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ name, description }),
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Update principal
|
|
|
|
|
updatePrincipal: (orgId: string, principalId: string, data: { name?: string; description?: string }, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ principal: Principal }>(`/organizations/${orgId}/principals/${principalId}`, {
|
|
|
|
|
method: 'PATCH',
|
|
|
|
|
body: JSON.stringify(data),
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Delete principal
|
|
|
|
|
deletePrincipal: (orgId: string, principalId: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ message: string }>(`/organizations/${orgId}/principals/${principalId}`, {
|
|
|
|
|
method: 'DELETE',
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Get principal members
|
|
|
|
|
getPrincipalMembers: (orgId: string, principalId: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ members: PrincipalMember[]; count: number }>(`/organizations/${orgId}/principals/${principalId}/members`, {}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Add member to principal
|
|
|
|
|
addPrincipalMember: (orgId: string, principalId: string, email: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ member: PrincipalMember }>(`/organizations/${orgId}/principals/${principalId}/members`, {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ email }),
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Remove member from principal
|
|
|
|
|
removePrincipalMember: (orgId: string, principalId: string, userId: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ message: string }>(`/organizations/${orgId}/principals/${principalId}/members/${userId}`, {
|
|
|
|
|
method: 'DELETE',
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Link principal to department
|
|
|
|
|
linkPrincipalToDepartment: (orgId: string, principalId: string, departmentId: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ message: string }>(`/organizations/${orgId}/principals/${principalId}/departments`, {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ department_id: departmentId }),
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Unlink principal from department
|
|
|
|
|
unlinkPrincipalFromDepartment: (orgId: string, principalId: string, departmentId: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ message: string }>(`/organizations/${orgId}/principals/${principalId}/departments/${departmentId}`, {
|
|
|
|
|
method: 'DELETE',
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Create invite token
|
|
|
|
|
createInvite: (orgId: string, email: string, role: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ invite: OrgInvite }>(`/organizations/${orgId}/invites`, {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ email, role }),
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// List OIDC clients
|
|
|
|
|
getClients: (orgId: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ clients: OIDCClient[]; count: number }>(`/organizations/${orgId}/clients`, {}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Create OIDC client
|
|
|
|
|
createClient: (orgId: string, name: string, redirect_uris: string[], requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ client: OIDCClientWithSecret }>(`/organizations/${orgId}/clients`, {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ name, redirect_uris }),
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Delete OIDC client
|
|
|
|
|
deleteClient: (orgId: string, clientId: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ message: string }>(`/organizations/${orgId}/clients/${clientId}`, {
|
|
|
|
|
method: 'DELETE',
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
|
|
|
|
|
// Send MFA reminder to a member
|
|
|
|
|
sendMfaReminder: (orgId: string, userId: string, requestConfig?: RequestConfig) =>
|
|
|
|
|
request<{ message: string }>(`/organizations/${orgId}/members/${userId}/send-mfa-reminder`, {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
}, true, requestConfig),
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
invites: {
|
|
|
|
|
// Get invite details by token (unauthenticated)
|
|
|
|
|
getInfo: (token: string) =>
|
|
|
|
|
request<{ email: string; organization: { id: string; name: string }; role: string }>(
|
|
|
|
|
`/invites/${token}`,
|
|
|
|
|
{},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
|
|
|
|
|
// Accept invite (unauthenticated)
|
|
|
|
|
accept: (token: string, full_name: string, password: string) =>
|
|
|
|
|
request<LoginResponse>(
|
|
|
|
|
`/invites/${token}/accept`,
|
|
|
|
|
{
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ full_name, password, password_confirm: password }),
|
|
|
|
|
},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
},
|
2026-01-06 15:33:03 +00:00
|
|
|
};
|
|
|
|
|
|
2026-02-27 21:08:16 +05:45
|
|
|
// Organization types
|
|
|
|
|
export interface OrganizationMember {
|
|
|
|
|
id: string;
|
|
|
|
|
user_id: string;
|
|
|
|
|
organization_id: string;
|
|
|
|
|
role: string;
|
|
|
|
|
created_at: string;
|
|
|
|
|
updated_at: string;
|
|
|
|
|
user?: User;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface AuditLogEntry {
|
|
|
|
|
id: string;
|
|
|
|
|
action: string;
|
|
|
|
|
user_id: string | null;
|
|
|
|
|
organization_id: string | null;
|
|
|
|
|
resource_type: string | null;
|
|
|
|
|
resource_id: string | null;
|
|
|
|
|
ip_address: string | null;
|
|
|
|
|
user_agent: string | null;
|
|
|
|
|
request_id: string | null;
|
|
|
|
|
description: string | null;
|
|
|
|
|
success: boolean;
|
|
|
|
|
error_message: string | null;
|
|
|
|
|
metadata?: Record<string, unknown>;
|
|
|
|
|
created_at: string;
|
|
|
|
|
updated_at: string;
|
|
|
|
|
user?: User;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface Department {
|
|
|
|
|
id: string;
|
|
|
|
|
organization_id: string;
|
|
|
|
|
name: string;
|
|
|
|
|
description: string | null;
|
|
|
|
|
created_at: string;
|
|
|
|
|
updated_at: string;
|
|
|
|
|
deleted_at: string | null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface DepartmentMember {
|
|
|
|
|
id: string;
|
|
|
|
|
user_id: string;
|
|
|
|
|
department_id: string;
|
|
|
|
|
created_at: string;
|
|
|
|
|
updated_at: string;
|
|
|
|
|
user?: User;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface Principal {
|
|
|
|
|
id: string;
|
|
|
|
|
organization_id: string;
|
|
|
|
|
name: string;
|
|
|
|
|
description: string | null;
|
|
|
|
|
created_at: string;
|
|
|
|
|
updated_at: string;
|
|
|
|
|
deleted_at: string | null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface PrincipalMember {
|
|
|
|
|
id: string;
|
|
|
|
|
user_id: string;
|
|
|
|
|
principal_id: string;
|
|
|
|
|
created_at: string;
|
|
|
|
|
updated_at: string;
|
|
|
|
|
user?: User;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface OrgInvite {
|
|
|
|
|
id: string;
|
|
|
|
|
email: string;
|
|
|
|
|
role: string;
|
|
|
|
|
expires_at: string;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface OIDCClient {
|
|
|
|
|
id: string;
|
|
|
|
|
name: string;
|
|
|
|
|
client_id: string;
|
|
|
|
|
redirect_uris: string[];
|
|
|
|
|
scopes: string[];
|
|
|
|
|
grant_types: string[];
|
|
|
|
|
is_active: boolean;
|
|
|
|
|
created_at: string;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface OIDCClientWithSecret extends OIDCClient {
|
|
|
|
|
client_secret: string;
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-16 17:31:25 +10:30
|
|
|
// Policy types
|
|
|
|
|
export interface OrgPolicyResponse {
|
|
|
|
|
security_policy: {
|
|
|
|
|
organization_id: string;
|
|
|
|
|
mfa_policy_mode: string;
|
|
|
|
|
mfa_grace_period_days: number;
|
|
|
|
|
notify_days_before: number;
|
|
|
|
|
policy_version: number;
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface UpdateOrgPolicyDto {
|
|
|
|
|
mfa_policy_mode: string;
|
|
|
|
|
mfa_grace_period_days: number;
|
|
|
|
|
notify_days_before: number;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface OrgCompliancePage {
|
|
|
|
|
members: OrgComplianceMember[];
|
|
|
|
|
count: number;
|
|
|
|
|
page: number;
|
|
|
|
|
page_size: number;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface OrgComplianceMember {
|
|
|
|
|
user_id: string;
|
|
|
|
|
user_email: string;
|
|
|
|
|
user_name: string;
|
|
|
|
|
status: string;
|
|
|
|
|
deadline_at: string | null;
|
|
|
|
|
compliant_at: string | null;
|
|
|
|
|
last_notified_at: string | null;
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-06 15:33:03 +00:00
|
|
|
export { ApiError };
|
2026-01-16 17:31:25 +10:30
|
|
|
|
|
|
|
|
// Reusable 403 error handler for API calls
|
|
|
|
|
// Shows a user-friendly toast message when access is denied
|
|
|
|
|
export function create403Handler(toastFn: (options: { title: string; description: string; variant: "destructive" }) => void) {
|
|
|
|
|
return (error: ApiError) => {
|
|
|
|
|
console.warn('[API] 403 Access Denied:', error.message);
|
|
|
|
|
toastFn({
|
|
|
|
|
title: "Access Denied",
|
|
|
|
|
description: "You don't have permission to view this section. Please contact your organization administrator.",
|
|
|
|
|
variant: "destructive",
|
|
|
|
|
});
|
|
|
|
|
};
|
|
|
|
|
}
|
