Merge pull request #8 from StackExchange/PKCE-helper

PKCE Authentication feature

Author: EstoesMoises

.changeset/tricky-oranges-relax.md

@@ -0,0 +1,6 @@
+---
+"soteams-sdk-docs": minor
+"so-teams-sdk": minor
+---
+
+Added PKCE authentication helpers for both Backend and Frontend services

docs/src/content/docs/guides/authentication.mdx

@@ -1,146 +1,265 @@
 ---
 title: Authentication
-description: Learn how to authenticate with the Stack Overflow API to use the SDK.
+description: Learn how to authenticate with the Stack Overflow API using the built-in authentication helpers.
 ---
 import { Card, CardGrid } from '@astrojs/starlight/components';
 
-The Stack Overflow SDK requires an access token to authenticate API requests. This guide explains how to obtain and use access tokens with the SDK.
+The Stack Overflow SDK provides built-in authentication helpers that simplify the OAuth 2.0 flow with PKCE for secure token generation. Authentication requirements vary by Stack Overflow for Teams tier.
 
-## Overview
+### Authentication by Tier
 
-The SDK uses OAuth 2.0 with access tokens for authentication. All API calls require a valid access token to be passed during SDK initialization.
+- **Stack Overflow for Teams Enterprise** - Supports OAuth 2.0 with PKCE. Access tokens can be generated dynamically. You can optionally provide a single Access Token manually.
+- **Stack Overflow for Teams Basic/Business** - OAuth is not available. Manual input of Access tokens (PATs) are **required** in order to use the SDK.
 
+### Authentication Clients
+
+The SDK includes two authentication clients for Enterprise instances:
+- **BackendAuthClient** - For server-side Node.js environments with full PKCE implementation
+- **FrontendAuthClient** - For browser environments that communicate with your backend API
+
+### SDK Initialization Options
+
+#### Enterprise - With OAuth Setup
 ```typescript
-import StackOverflowSDK from 'so-teams-sdk;
+import StackOverflowSDK from 'so-teams-sdk';
 
+// Option 1: OAuth configuration (no token required initially)
 const sdk = new StackOverflowSDK({
-  baseUrl: 'https://[your-site].stackenterprise.co',
-  accessToken: 'your-access-token-here'
+  baseUrl: 'https://your-site.stackenterprise.co',
+  auth: {
+    clientId: 'your-client-id',
+    redirectUri: 'https://yourapp.com/callback',
+    baseUrl: 'https://your-site.stackenterprise.co',
+    scope: 'read_inbox write_access'
+  }
 });
-```
 
-## Obtaining Access Tokens
+// Option 2: With existing access token
+const sdk = StackOverflowSDK.fromToken(
+  'your-access-token', 
+  'https://your-site.stackenterprise.co'
+);
+
+// Option 3: Factory method for OAuth setup
+const sdk = StackOverflowSDK.enterpriseOAuth({
+  clientId: 'your-client-id',
+  redirectUri: 'https://yourapp.com/callback',
+  baseUrl: 'https://your-site.stackenterprise.co'
+});
+```
 
-### For Stack Overflow for Teams Enterprise
+#### Basic/Business - Personal Access Token Required
+```typescript
+import StackOverflowSDK from 'so-teams-sdk';
 
-If you're using Stack Overflow for Teams Enterprise, follow the comprehensive OAuth implementation guide to generate secure API tokens:
+// PAT is mandatory for Basic/Business tiers
+const sdk = StackOverflowSDK.fromToken(
+  'your-personal-access-token',
+  'https://api.stackoverflowteams.com/v3'
+);
 
-**[Secure API Token Generation with OAuth and PKCE →](https://stackoverflow.help/en/articles/19820283-secure-api-token-generation-with-oauth-and-pkce)**
+// Team context is required for Basic/Business operations
+const teamContext = sdk.forTeam('your-team-id');
+const questions = await teamContext.questions.getAll();
+```
 
-This guide covers:
-- OAuth Authorization Code flow
-- PKCE (Proof Key for Code Exchange) implementation
-- Token generation and management
-- Security best practices
+## Authentication Clients (Enterprise Only)
 
-### For Stack Overflow for Teams
+:::note[Enterprise Feature]
+Authentication clients are only available for Stack Overflow for Teams Enterprise instances. Basic/Business tiers must use Personal Access Tokens during SDK initialization.
+:::
 
-If you're using Stack Overflow for Teams (Business or Basic), the process is simpler. You can generate a Personal Access Token (PAT) by following this guide:
+### Backend Authentication (Server-Side)
 
-**[Personal Access Tokens (PATs) for API Authentication →](https://stackoverflowteams.help/en/articles/10908790-personal-access-tokens-pats-for-api-authentication)**
+The `BackendAuthClient` handles the complete OAuth flow with PKCE on your server:
 
-PATs allow you to authenticate securely with the API without needing the full OAuth flow.
+```typescript title="backend-auth.ts"
+import { BackendAuthClient } from 'so-teams-sdk';
 
-## Using Access Tokens
+const authClient = new BackendAuthClient({
+  clientId: 'your-client-id',
+  redirectUri: 'https://yourapp.com/callback',
+  baseUrl: 'https://your-site.stackenterprise.co',
+  scope: 'read_inbox write_access' // Optional
+});
 
-Once you have an access token, initialize the SDK with your credentials:
+// Generate authorization URL
+const { url, codeVerifier, state } = await authClient.getAuthUrl();
 
-```typescript title="sdk-setup.ts"
-import StackOverflowSDK from 'so-teams-sdk;
+// Store codeVerifier and state securely (session, database, etc.)
+// Redirect user to the authorization URL
 
-// For Stack Overflow for Teams
-const teamsSDK = new StackOverflowSDK({
-  baseUrl: 'https://your-site.stackenterprise.co',
-  accessToken: 'your-access-token'
-});
+// In your callback handler:
+const tokens = await authClient.exchangeCodeForToken(
+  callbackCode, 
+  storedCodeVerifier
+);
 
+// Validate state for CSRF protection
+const isValidState = authClient.validateState(callbackState, storedState);
 ```
 
-## Token Scopes
+### Frontend Authentication (Browser)
 
-Different API operations require different scopes. Common scopes include:
+The `FrontendAuthClient` communicates with your backend API to handle OAuth securely:
 
-| Scope | Description |
-|-------|-------------|
-| read_inbox | Access user's inbox |
-| write_access | Perform write operations |
-| private_info | Access private user data |
-| no_expiry | Token never expires (use with caution) |
+```typescript title="frontend-auth.ts"
+import { FrontendAuthClient } from 'so-teams-sdk';
 
-## Environment Variables
+const frontendClient = new FrontendAuthClient({
+  clientId: 'your-client-id',
+  redirectUri: 'https://yourapp.com/callback',
+  baseUrl: 'https://your-site.stackenterprise.co'
+}, '/api'); // Your backend API base URL
 
-For security, store your access tokens in environment variables:
+// Start authentication flow
+const authUrl = await frontendClient.startAuth();
+window.location.href = authUrl;
 
-```typescript title="config.ts"
-export const config = {
-  baseUrl: process.env.STACKOVERFLOW_BASE_URL,
-  accessToken: process.env.STACKOVERFLOW_ACCESS_TOKEN
-};
+// Handle OAuth callback
+await frontendClient.handleCallback();
+
+// Check authentication status
+const isAuthenticated = await frontendClient.getAuthStatus();
+
+// Manual token submission (for PATs)
+const success = await frontendClient.submitAccessToken(userToken);
 ```
 
-```typescript title="app.ts"
-import StackOverflowSDK from 'so-teams-sdk;
-import { config } from './config';
+## Authentication Configuration
 
-const sdk = new StackOverflowSDK(config);
+### AuthConfig Interface
+
+```typescript
+interface AuthConfig {
+  /** OAuth client ID from Stack Overflow Enterprise */
+  clientId: string;
+  /** Redirect URI registered with your application */
+  redirectUri: string;  
+  /** Stack Overflow Enterprise instance URL */
+  baseUrl: string;
+  /** OAuth scopes (optional) */
+  scope?: string;
+}
 ```
 
-## Token Management
+### Available Methods
+
+#### BackendAuthClient Methods
+
+| Method | Description | Returns |
+|--------|-------------|---------|
+| `generatePKCETokens()` | Generate PKCE tokens for secure OAuth | `Promise<PKCETokens>` |
+| `getAuthUrl()` | Generate authorization URL with PKCE | `Promise<{url, codeVerifier, state}>` |
+| `exchangeCodeForToken()` | Exchange auth code for access token | `Promise<TokenResponse>` |
+| `validateState()` | Validate state parameter for CSRF protection | `boolean` |
+
+#### FrontendAuthClient Methods
+
+| Method | Description | Returns |
+|--------|-------------|---------|
+| `startAuth()` | Start OAuth flow via backend API | `Promise<string>` |
+| `completeAuth()` | Complete OAuth with callback params | `Promise<void>` |
+| `handleCallback()` | Handle OAuth callback in current page | `Promise<void>` |
+| `getAuthStatus()` | Check if user is authenticated | `Promise<boolean>` |
+| `submitAccessToken()` | Submit manual access token | `Promise<boolean>` |
+| `logout()` | Clear authentication state | `Promise<boolean>` |
+
+## Token Scopes
+
+Different API operations require different scopes:
 
-### Token Expiration
+| Scope | Description |
+|-------|-------------|
+| read_inbox | Access user's inbox |
+| write_access | Perform write operations |
+| private_info | Access private user data |
+| no_expiry | Token never expires (use with caution) |
+
+## Security Best Practices
 
-Unless you use the `no_expiry` scope, access tokens expire after 24 hours. Monitor token expiration and implement refresh logic as needed.
+<CardGrid>
+  <Card title="PKCE Implementation" icon="shield">
+    The SDK automatically implements PKCE (Proof Key for Code Exchange) to prevent authorization code interception attacks.
+  </Card>
+  <Card title="State Validation" icon="lock">
+    Always validate the state parameter in OAuth callbacks to prevent CSRF attacks using the built-in validation methods.
+  </Card>
+  <Card title="Secure Token Storage" icon="certificate">
+    Follow secure token storage best practices and avoid client-side storage for sensitive authentication data.
+  </Card>
+  <Card title="Environment Variables" icon="key">
+    Keep sensitive configuration like client IDs and secrets in environment variables, not in your source code.
+  </Card>
+</CardGrid>
 
-### Error Handling
+## Error Handling
 
 Handle authentication errors gracefully:
 
 ```typescript title="auth-error-handling.ts"
-async function makeAuthenticatedRequest() {
+async function authenticateUser() {
   try {
-    const questions = await sdk.questions.getQuestions();
-    return questions;
+    const authUrl = await authClient.getAuthUrl();
+    // Handle success
   } catch (error) {
-    if (error.status === 401) {
-      console.error('Authentication failed - token may be expired or invalid');
-      // Implement token refresh or re-authentication logic
-    } else if (error.status === 403) {
-      console.error('Insufficient permissions - check token scopes');
+    if (error.message.includes('clientId')) {
+      console.error('Missing OAuth configuration');
+    } else {
+      console.error('Authentication setup failed:', error);
     }
-    throw error;
   }
 }
+
+// In callback handler
+try {
+  const tokens = await authClient.exchangeCodeForToken(code, codeVerifier);
+} catch (error) {
+  if (error.message.includes('Failed to exchange')) {
+    console.error('Token exchange failed - check OAuth configuration');
+  }
+  throw error;
+}
 ```
 
-## Security Best Practices
+## Alternative: Personal Access Tokens
 
-<CardGrid>
-  <Card title="Secure Storage" icon="lock">
-    Never hardcode access tokens in your source code. Use environment variables or secure configuration management.
-  </Card>
-  <Card title="Token Rotation" icon="refresh">
-    Regularly rotate your access tokens and implement proper token lifecycle management.
-  </Card>
-  <Card title="Scope Limitation" icon="shield">
-    Request only the minimum scopes required for your application functionality.
-  </Card>
-  <Card title="HTTPS Only" icon="certificate">
-    Always use HTTPS when transmitting access tokens to prevent interception.
-  </Card>
-</CardGrid>
+### Enterprise Instances
+For simpler Enterprise implementations, you can generate Tokens manually and use them as seen below:
+
+```typescript
+const sdk = StackOverflowSDK.fromToken(
+  'your-enterprise-pat',
+  'https://your-site.stackenterprise.co'
+);
+
+const questions = await sdk.questions.getAll();
+```
+
+You'll need to follow [this guide](https://stackoverflowteams.help/en/articles/9718149-secure-api-token-generation-with-oauth-and-pkce) to understand how OAuth works on Enterprise.
+
+### Basic/Business Instances (Required)
+For Basic and Business tiers, PATs are the only authentication method available:
+
+**[Personal Access Tokens (PATs) for API Authentication →](https://stackoverflowteams.help/en/articles/10908790-personal-access-tokens-pats-for-api-authentication)**
+
+```typescript
+const sdk = StackOverflowSDK.fromToken(userProvidedPAT, 'https://api.stackoverflowteams.com/v3');
+const teamContext = sdk.forTeam('team-123');
+```
 
 ## Next Steps
 
-Once you have your access token configured:
+Once you have authentication configured with the helpers:
 
-- [Quickstart Guide](/quickstart) - Get started with the SDK
-- [Questions API](/questions/getall/) - Learn about fetching questions
-- [Rate Limits](/guides/rate-limiting) - Understand how rate limits work on SO Teams
+- [Quickstart Guide](/guides/quickstart) - Get started with the SDK
+- [Questions API](/questions/getall/) - Learn about fetching questions  
+- [Rate Limits](/guides/rate-limiting) - Understand API rate limits
 
 :::note[Rate Limits]
-Authentication doesn't bypass API rate limits. Authenticated requests typically have higher rate limits than anonymous requests, but limits still apply.
+Authentication doesn't bypass API rate limits.
 :::
 
 :::tip[Development vs Production]
-Use different access tokens for development and production environments. Consider using shorter-lived tokens in production for enhanced security.
+Use different OAuth applications and tokens for development and production environments. The authentication helpers support this through environment-specific configuration.
 :::

docs/src/content/docs/index.mdx

@@ -48,6 +48,9 @@ import { Card, CardGrid } from '@astrojs/starlight/components';
 	<Card title="Type Safety" icon="laptop">
 		Complete TypeScript definitions for all Teams endpoints, models, and responses.
 	</Card>
+	<Card title="PKCE Authentication Built-in" icon="approve-check-circle">
+		Includes full PKCE authentication with ready-to-use helpers for both backend and frontend implementations.
+	</Card>
 </CardGrid>
 
 ## Popular use cases
@@ -65,7 +68,7 @@ Whether you're building internal tools, integrating with existing workflows, or
 ## Current status
 
 At the moment, the SDK is only available as a **TypeScript library**.  
-This project is in **early access**, and more language support and features (such as authentication helpers and rate limiting) will be added in the future.
+This project is in **early access**, and more language support and features (such as rate limiting) will be added in the future.
 
 ## Ready to start building?
 
@@ -76,4 +79,4 @@ Our SDK provides a higher-level abstraction for programmatically interacting wit
 
 This Stack Overflow for Teams SDK is licensed to you under the terms of the Apache Software License Version 2.0 (Apache 2.0): https://www.apache.org/licenses/LICENSE-2.0.txt
 
-The Teams SDK is 100% open source and freely available to download and use under the terms of the Apache 2.0 license. This SDK enables development with the Stack Overflow for Teams API, which is available to all Teams customers, but may be subject to future changes.
+The Teams SDK is 100% open source and freely available to download and use under the terms of the Apache 2.0 license. This SDK enables development with the Stack Overflow for Teams API, which is available to all Teams customers, but may be subject to future changes.

sdk/.gitignore

@@ -1 +1,2 @@
-test.ts
+test.ts
+*.tgz