@amaster.ai/auth-client 1.1.0-beta.7 → 1.1.0-beta.71

package/README.md

@@ -8,6 +8,7 @@ Authentication SDK for Amaster Platform - Complete client-side authentication so
 - 🔄 **Automatic Token Refresh**: JWT token auto-refresh before expiration
 - 📦 **Token Storage**: localStorage or sessionStorage with SSR support
 - 🎯 **Permission System**: Role-based and permission-based access control
+- 👤 **Anonymous Access**: Automatic support for anonymous users with configurable permissions
 - 🔗 **OAuth Integration**: Google, GitHub, WeChat OAuth, WeChat Mini Program, and custom OAuth providers
 - 📡 **Event System**: Listen to login, logout, and token events
 - 💾 **Session Management**: View and revoke active sessions
@@ -58,7 +59,7 @@ if (result.data) {
 const user = await authClient.getMe();
 
 // Check permissions
-if (authClient.hasPermission("user.read")) {
+if (authClient.hasPermission("user", "read")) {
   // Show user list
 }
 ```
@@ -82,10 +83,10 @@ const authClient = createAuthClient();
 
 ```typescript
 interface AuthClientOptions {
-  baseURL?: string;              // API base URL, defaults to window.location.origin
+  baseURL?: string; // API base URL, defaults to window.location.origin
   headers?: Record<string, string>; // Custom headers for all requests
-  onTokenExpired?: () => void;   // Token expiration callback
-  onUnauthorized?: () => void;   // Unauthorized (401) callback
+  onTokenExpired?: () => void; // Token expiration callback
+  onUnauthorized?: () => void; // Unauthorized (401) callback
 }
 ```
 
@@ -94,19 +95,18 @@ interface AuthClientOptions {
 ```typescript
 const authClient = createAuthClient({
   baseURL: "https://api.example.com",
-  onTokenExpired: () => window.location.href = "/login",
+  onTokenExpired: () => (window.location.href = "/login"),
   onUnauthorized: () => alert("Session expired"),
 });
 ```
 
 **Built-in Features (Zero Config):**
 
-- ✅ **Auto Environment Detection**: Works in browser, WeChat Mini Program, SSR
-- ✅ **Auto Token Refresh**: Refreshes 5 minutes before expiry
-- ✅ **Auto Permission Sync**: Syncs on page load and every token refresh
-- ✅ **Smart Storage**: localStorage (browser), wx.storage (WeChat), no-op (SSR)
-- ✅ **Lightweight Data**: Only permission names cached, not full objects
-- ✅ **On-Demand DataScope**: Loads only when needed
+- ✅ Auto environment detection (browser, WeChat Mini Program, SSR)
+- ✅ Auto token refresh (5 minutes before expiry)
+- ✅ Auto permission sync
+- ✅ Auto anonymous support
+- ✅ Smart storage (localStorage, wx.storage, no-op for SSR)
 
 ## Authentication
 
@@ -180,15 +180,16 @@ const redirectUrl = sessionStorage.getItem("oauth_redirect") || "/";
 window.location.href = redirectUrl;
 ```
 
+If the callback page URL already carries `?redirect=...` such as
+`/login?redirect=%2Fapi%2Foauth%2Fauthorize...`, the SDK will reuse that
+redirect target automatically after a successful OAuth callback. Both
+`#access_token=...` and `#accessToken=...` callback hash formats are supported.
+
 **Popup window:**
 
 ```typescript
 // Main page
-const popup = window.open(
-  "/api/auth/oauth/google",
-  "oauth-login",
-  "width=600,height=700"
-);
+const popup = window.open("/api/auth/oauth/google", "oauth-login", "width=600,height=700");
 
 window.addEventListener("message", (event) => {
   if (event.data.type === "oauth-success") {
@@ -213,7 +214,7 @@ import { createAuthClient } from "@amaster.ai/auth-client";
 
 // Zero configuration - auto-detects WeChat environment
 const authClient = createAuthClient({
-  baseURL: "https://api.yourdomain.com"
+  baseURL: "https://api.yourdomain.com",
 });
 
 // Login with WeChat code
@@ -221,22 +222,22 @@ wx.login({
   success: async (res) => {
     if (res.code) {
       const result = await authClient.loginWithMiniProgram(res.code);
-      
+
       if (result.data) {
         console.log("Logged in:", result.data.user);
         // Token automatically saved to wx.storage
-        wx.switchTab({ url: '/pages/index/index' });
+        wx.switchTab({ url: "/pages/index/index" });
       } else if (result.error) {
         wx.showToast({
-          title: result.error.message || 'Login failed',
-          icon: 'none'
+          title: result.error.message || "Login failed",
+          icon: "none",
         });
       }
     }
   },
   fail: (err) => {
     console.error("wx.login failed:", err);
-  }
+  },
 });
 ```
 
@@ -244,8 +245,8 @@ wx.login({
 
 ```xml
 <!-- WXML -->
-<button 
-  open-type="getPhoneNumber" 
+<button
+  open-type="getPhoneNumber"
   bindgetphonenumber="onGetPhoneNumber"
 >
   Get Phone Number
@@ -256,14 +257,14 @@ wx.login({
 // JS
 async onGetPhoneNumber(e) {
   const { code } = e.detail;
-  
+
   if (code) {
     const result = await authClient.getMiniProgramPhoneNumber(code);
-    
+
     if (result.data) {
       console.log("Phone number:", result.data.phone);
       console.log("Verified:", result.data.phoneVerified);
-      
+
       // Update UI with phone number
       this.setData({
         phone: result.data.phone
@@ -288,13 +289,13 @@ async onGetPhoneNumber(e) {
 import { createAuthClient } from "@amaster.ai/auth-client";
 
 const authClient = createAuthClient({
-  baseURL: "https://api.yourdomain.com"
+  baseURL: "https://api.yourdomain.com",
 });
 
 Page({
   data: {
     userInfo: null,
-    hasPhone: false
+    hasPhone: false,
   },
 
   // Auto-login on page load
@@ -304,26 +305,26 @@ Page({
 
   // WeChat Mini Program login
   async handleLogin() {
-    wx.showLoading({ title: 'Logging in...' });
-    
+    wx.showLoading({ title: "Logging in..." });
+
     wx.login({
       success: async (res) => {
         if (res.code) {
           const result = await authClient.loginWithMiniProgram(res.code);
-          
+
           wx.hideLoading();
-          
+
           if (result.data) {
             this.setData({
-              userInfo: result.data.user
+              userInfo: result.data.user,
             });
-            
+
             // Navigate to home
-            wx.switchTab({ url: '/pages/index/index' });
+            wx.switchTab({ url: "/pages/index/index" });
           } else {
             wx.showToast({
-              title: 'Login failed',
-              icon: 'none'
+              title: "Login failed",
+              icon: "none",
             });
           }
         }
@@ -331,47 +332,47 @@ Page({
       fail: () => {
         wx.hideLoading();
         wx.showToast({
-          title: 'Login failed',
-          icon: 'none'
+          title: "Login failed",
+          icon: "none",
         });
-      }
+      },
     });
   },
 
   // Get phone number with user authorization
   async onGetPhoneNumber(e) {
     const { code } = e.detail;
-    
+
     if (!code) {
       wx.showToast({
-        title: 'Authorization cancelled',
-        icon: 'none'
+        title: "Authorization cancelled",
+        icon: "none",
       });
       return;
     }
 
-    wx.showLoading({ title: 'Getting phone...' });
-    
+    wx.showLoading({ title: "Getting phone..." });
+
     const result = await authClient.getMiniProgramPhoneNumber(code);
-    
+
     wx.hideLoading();
-    
+
     if (result.data) {
       this.setData({
-        hasPhone: true
+        hasPhone: true,
       });
-      
+
       wx.showToast({
-        title: 'Phone number obtained',
-        icon: 'success'
+        title: "Phone number obtained",
+        icon: "success",
       });
     } else {
       wx.showToast({
-        title: result.error?.message || 'Failed to get phone',
-        icon: 'none'
+        title: result.error?.message || "Failed to get phone",
+        icon: "none",
       });
     }
-  }
+  },
 });
 ```
 
@@ -412,67 +413,50 @@ await authClient.changePassword({
 
 ## Permission Checks
 
-### Local Permission Checks (Fast)
+### Anonymous Access Support
 
-Permissions are cached locally as string arrays for fast UI checks:
+The SDK automatically supports anonymous users with **zero configuration**:
 
 ```typescript
-// Check single role
-if (authClient.hasRole("admin")) {
-  // Admin only
-}
+// Create client
+const authClient = createAuthClient();
 
-// Check single permission
-if (authClient.hasPermission("user.read")) {
-  // Can read users
+// Permission checks work for both authenticated and anonymous users
+if (authClient.hasPermission("article", "read")) {
+  showArticleList();
 }
 
-// Check any permission
-if (authClient.hasAnyPermission(["user.read", "user.manage"])) {
-  // Has at least one permission
+// Check if user is anonymous
+if (authClient.isAnonymous()) {
+  showLoginPrompt();
 }
 
-// Check all permissions
-if (authClient.hasAllPermissions(["user.read", "user.write"])) {
-  // Has all permissions
-}
+// After login, permissions automatically update
+await authClient.login({ ... });
 ```
 
-### On-Demand Data Scope Loading
+### Local Permission Checks (Fast)
 
-Data scopes are loaded only when needed to reduce data transfer:
+Permissions are cached locally for fast UI checks:
 
 ```typescript
-// Get data scope for a specific permission
-const result = await authClient.getPermissionScope("user.read");
-if (result.data) {
-  const { dataScope } = result.data;
-  
-  if (dataScope.scopeType === "department") {
-    // Filter users by department
-    const users = await api.getUsers({
-      departmentId: dataScope.scopeFilter.departmentId
-    });
-  } else if (dataScope.scopeType === "all") {
-    // Show all users
-    const users = await api.getUsers();
-  }
+// Check role
+if (authClient.hasRole("admin")) {
+  showAdminPanel();
 }
-```
 
-**Optimized Data Structure:**
+if (authClient.isAnonymous()) {
+  showLoginPrompt();
+}
 
-```typescript
-// User object (lightweight)
-{
-  uid: "xxx",
-  email: "user@example.com",
-  roles: ["admin", "user"],  // Only role codes
-  permissions: ["user.read", "user.write", "order.read"],  // Only permission names
-  // NO dataScopes - loaded on demand
+// Check permission
+if (authClient.hasPermission("user", "read")) {
+  showUserList();
 }
 ```
 
+````
+
 ## OAuth Bindings
 
 ### Get Bindings
@@ -613,48 +597,32 @@ if (result.error) {
 
 ### Token Management
 
-- SDK automatically manages Access Token and Refresh Token
-- Access Token is stored in localStorage/sessionStorage
-- Refresh Token is managed by backend via HttpOnly Cookie
-- Token is automatically refreshed 5 minutes before expiration (configurable)
-
-### Permission Sync
-
-- **On Page Load**: User info and permissions automatically sync from backend
-- **On Token Refresh**: Permissions re-sync every 5 minutes when token refreshes
-- **Manual Sync**: Call `await authClient.getMe()` to force sync anytime
-
-**Behavior:**
-- Permissions always stay fresh without any configuration
-- Page refresh loads latest permissions from backend
-- Background sync happens automatically every 5 minutes
+- Tokens are automatically managed by the SDK
+- Access Token refreshes 5 minutes before expiration
+- No manual token handling required
 
 ### Permission Checks
 
-- **Frontend permission checks are for UI control only** (show/hide buttons, menus)
-- **Backend must verify permissions again** - frontend checks are NOT security measures
-- Use permission checks to improve UX, not as security enforcement
+- Use permission checks for UI control (show/hide buttons, menus)
+- Frontend checks are NOT security measures
+- Backend must always verify permissions
 
 ### SSR Support
 
-The SDK detects SSR environments and uses a no-op storage adapter:
+The SDK works in both browser and SSR environments:
 
 ```typescript
-// Safe in both browser and SSR
 const authClient = createAuthClient();
 ```
 
 ## TypeScript
 
-Full TypeScript support with comprehensive type definitions:
+Full TypeScript support:
 
 ```typescript
 import type {
   User,
   LoginResponse,
-  Permission,
-  Role,
-  DataScope,
   Session,
   OAuthBinding,
 } from "@amaster.ai/auth-client";
@@ -667,3 +635,4 @@ MIT
 ## Contributing
 
 Contributions are welcome! Please read our contributing guidelines before submitting PRs.
+````

package/dist/auth.d.cts

@@ -14,7 +14,7 @@
  * ============================================================================
  */
 import { HttpClient, ClientResult } from '@amaster.ai/http-client';
-import { q as User, i as RegisterParams, e as LoginResponse, L as LoginParams, c as CodeLoginParams, S as SendCodeParams, p as SuccessResponse, b as CaptchaResponse, g as OAuthProvider, M as MiniProgramPhoneResponse, R as RefreshTokenResponse } from './types-C56GAJKY.cjs';
+import { q as User, i as RegisterParams, e as LoginResponse, L as LoginParams, c as CodeLoginParams, S as SendCodeParams, p as SuccessResponse, b as CaptchaResponse, g as OAuthProvider, M as MiniProgramPhoneResponse, R as RefreshTokenResponse } from './types-B76rOTYH.cjs';
 
 /**
  * Authentication Module
@@ -30,11 +30,15 @@ import { q as User, i as RegisterParams, e as LoginResponse, L as LoginParams, c
  * - Logout and token refresh
  */
 
+declare const browserNavigation: {
+    replace(url: string): void;
+};
 interface AuthModuleDeps {
     http: HttpClient;
     onLoginSuccess: (user: User, accessToken: string) => void;
     storage: {
         getItem: (key: string) => string | null;
+        setItem: (key: string, value: string) => void;
     };
     clearAuth: () => void;
 }
@@ -59,8 +63,14 @@ declare function createAuthModule(deps: AuthModuleDeps): {
      * @category Authentication
      * @example
      * ```typescript
+     * // Auto-detect loginType from username
+     * await auth.login({
+     *   username: "john_doe",
+     *   password: "Password@123",
+     * });
+     *
+     * // Auto-detect loginType from email
      * await auth.login({
-     *   loginType: "email",
      *   email: "user@example.com",
      *   password: "Password@123",
      * });
@@ -73,11 +83,17 @@ declare function createAuthModule(deps: AuthModuleDeps): {
      * @category Authentication
      * @example
      * ```typescript
+     * // Auto-detect loginType from email
      * await auth.loginWithCode({
-     *   loginType: "email",
      *   email: "user@example.com",
      *   code: "123456",
      * });
+     *
+     * // Auto-detect loginType from phone
+     * await auth.loginWithCode({
+     *   phone: "13800138000",
+     *   code: "123456",
+     * });
      * ```
      */
     loginWithCode(params: CodeLoginParams): Promise<ClientResult<LoginResponse>>;
@@ -180,4 +196,4 @@ declare function createAuthModule(deps: AuthModuleDeps): {
 };
 type AuthModule = ReturnType<typeof createAuthModule>;
 
-export { type AuthModule, type AuthModuleDeps, createAuthModule };
+export { type AuthModule, type AuthModuleDeps, browserNavigation, createAuthModule };

package/dist/auth.d.ts

@@ -14,7 +14,7 @@
  * ============================================================================
  */
 import { HttpClient, ClientResult } from '@amaster.ai/http-client';
-import { q as User, i as RegisterParams, e as LoginResponse, L as LoginParams, c as CodeLoginParams, S as SendCodeParams, p as SuccessResponse, b as CaptchaResponse, g as OAuthProvider, M as MiniProgramPhoneResponse, R as RefreshTokenResponse } from './types-C56GAJKY.js';
+import { q as User, i as RegisterParams, e as LoginResponse, L as LoginParams, c as CodeLoginParams, S as SendCodeParams, p as SuccessResponse, b as CaptchaResponse, g as OAuthProvider, M as MiniProgramPhoneResponse, R as RefreshTokenResponse } from './types-B76rOTYH.js';
 
 /**
  * Authentication Module
@@ -30,11 +30,15 @@ import { q as User, i as RegisterParams, e as LoginResponse, L as LoginParams, c
  * - Logout and token refresh
  */
 
+declare const browserNavigation: {
+    replace(url: string): void;
+};
 interface AuthModuleDeps {
     http: HttpClient;
     onLoginSuccess: (user: User, accessToken: string) => void;
     storage: {
         getItem: (key: string) => string | null;
+        setItem: (key: string, value: string) => void;
     };
     clearAuth: () => void;
 }
@@ -59,8 +63,14 @@ declare function createAuthModule(deps: AuthModuleDeps): {
      * @category Authentication
      * @example
      * ```typescript
+     * // Auto-detect loginType from username
+     * await auth.login({
+     *   username: "john_doe",
+     *   password: "Password@123",
+     * });
+     *
+     * // Auto-detect loginType from email
      * await auth.login({
-     *   loginType: "email",
      *   email: "user@example.com",
      *   password: "Password@123",
      * });
@@ -73,11 +83,17 @@ declare function createAuthModule(deps: AuthModuleDeps): {
      * @category Authentication
      * @example
      * ```typescript
+     * // Auto-detect loginType from email
      * await auth.loginWithCode({
-     *   loginType: "email",
      *   email: "user@example.com",
      *   code: "123456",
      * });
+     *
+     * // Auto-detect loginType from phone
+     * await auth.loginWithCode({
+     *   phone: "13800138000",
+     *   code: "123456",
+     * });
      * ```
      */
     loginWithCode(params: CodeLoginParams): Promise<ClientResult<LoginResponse>>;
@@ -180,4 +196,4 @@ declare function createAuthModule(deps: AuthModuleDeps): {
 };
 type AuthModule = ReturnType<typeof createAuthModule>;
 
-export { type AuthModule, type AuthModuleDeps, createAuthModule };
+export { type AuthModule, type AuthModuleDeps, browserNavigation, createAuthModule };

package/dist/index.cjs

@@ -1,2 +1,2 @@
-'use strict';var httpClient=require('@amaster.ai/http-client');var y=class{constructor(){this.events={};}on(e,r){this.events[e]||(this.events[e]=[]),this.events[e].push(r);}off(e,r){this.events[e]&&(this.events[e]=this.events[e].filter(t=>t!==r));}emit(e,...r){this.events[e]&&this.events[e].forEach(t=>{try{t(...r);}catch(a){console.error(`[AuthClient] Error in event handler for "${e}":`,a);}});}removeAllListeners(){this.events={};}};var l={ACCESS_TOKEN:"amaster_access_token",REFRESH_TOKEN:"amaster_refresh_token",USER:"amaster_user"};function N(){return typeof wx<"u"&&wx.getStorageSync?"wechat-miniprogram":typeof window<"u"&&typeof window.localStorage<"u"?"browser":"node"}function S(){switch(N()){case "wechat-miniprogram":return $();case "browser":return L();case "node":return q()}}function L(){let s=window.localStorage;return {getItem(e){try{return s.getItem(e)}catch(r){return console.error("[AuthClient] Failed to get item from localStorage:",r),null}},setItem(e,r){try{s.setItem(e,r);}catch(t){console.error("[AuthClient] Failed to set item in localStorage:",t);}},removeItem(e){try{s.removeItem(e);}catch(r){console.error("[AuthClient] Failed to remove item from localStorage:",r);}},clear(){try{s.removeItem(l.ACCESS_TOKEN),s.removeItem(l.REFRESH_TOKEN),s.removeItem(l.USER);}catch(e){console.error("[AuthClient] Failed to clear localStorage:",e);}}}}function $(){return {getItem(s){try{return wx.getStorageSync(s)||null}catch(e){return console.error("[AuthClient] Failed to get item from WeChat storage:",e),null}},setItem(s,e){try{wx.setStorageSync(s,e);}catch(r){console.error("[AuthClient] Failed to set item in WeChat storage:",r);}},removeItem(s){try{wx.removeStorageSync(s);}catch(e){console.error("[AuthClient] Failed to remove item from WeChat storage:",e);}},clear(){try{wx.removeStorageSync(l.ACCESS_TOKEN),wx.removeStorageSync(l.REFRESH_TOKEN),wx.removeStorageSync(l.USER);}catch(s){console.error("[AuthClient] Failed to clear WeChat storage:",s);}}}}function q(){let s=new Map;return {getItem(e){return s.get(e)??null},setItem(e,r){s.set(e,r);},removeItem(e){s.delete(e);},clear(){s.clear();}}}function B(s){try{let e=s.split(".");if(e.length!==3)return null;let t=(e[1]||"").replace(/-/g,"+").replace(/_/g,"/");if(typeof atob<"u"){let a=decodeURIComponent(atob(t).split("").map(o=>"%"+("00"+o.charCodeAt(0).toString(16)).slice(-2)).join(""));return JSON.parse(a)}if(typeof Buffer<"u"){let a=Buffer.from(t,"base64").toString("utf-8");return JSON.parse(a)}return null}catch(e){return console.error("[AuthClient] Failed to parse JWT token:",e),null}}var C=class{constructor(){this.refreshTimer=null;this.isRefreshing=false;this.refreshCallback=null;}setRefreshCallback(e){this.refreshCallback=e;}scheduleRefresh(e){this.clearSchedule(),!(e<=0)&&(this.refreshTimer=setTimeout(()=>{this.refresh();},e));}scheduleRefreshFromToken(e,r=300){let t=B(e);if(!t||!t.exp){console.warn("[AuthClient] Cannot schedule refresh: invalid token or missing exp claim");return}let a=t.exp*1e3,o=Date.now(),c=a-o-r*1e3;c<=0?(console.warn("[AuthClient] Token already expired or expiring soon, refreshing immediately"),this.refresh()):this.scheduleRefresh(c);}async refresh(){if(!this.isRefreshing){if(!this.refreshCallback){console.error("[AuthClient] No refresh callback set");return}this.isRefreshing=true;try{await this.refreshCallback();}catch(e){console.error("[AuthClient] Token refresh failed:",e);}finally{this.isRefreshing=false;}}}clearSchedule(){this.refreshTimer&&(clearTimeout(this.refreshTimer),this.refreshTimer=null);}isCurrentlyRefreshing(){return this.isRefreshing}destroy(){this.clearSchedule(),this.refreshCallback=null,this.isRefreshing=false;}};function v(s){return s&&typeof s=="object"&&("statusCode"in s||"status"in s)&&"data"in s?s.data:s}var R={transformResponse:v,logErrors:true};function k(s){let{http:e,onLoginSuccess:r,storage:t,clearAuth:a}=s;return {async register(o){let n=await e.request({url:"/api/auth/register",method:"post",headers:{"Content-Type":"application/json"},data:o});return n.data?.user&&n.data?.accessToken&&r(n.data.user,n.data.accessToken),n},async login(o){let n=await e.request({url:"/api/auth/login",method:"post",headers:{"Content-Type":"application/json"},data:o});return n.data?.user&&n.data?.accessToken&&r(n.data.user,n.data.accessToken),n},async loginWithCode(o){let n=await e.request({url:"/api/auth/login-with-code",method:"post",headers:{"Content-Type":"application/json"},data:o});return n.data?.user&&n.data?.accessToken&&r(n.data.user,n.data.accessToken),n},async sendCode(o){return e.request({url:"/api/auth/send-code",method:"post",headers:{"Content-Type":"application/json"},data:o})},async getCaptcha(){return e.request({url:"/api/auth/captcha",method:"get"})},loginWithOAuth(o,n){if(typeof window>"u"){console.error("[AuthClient] OAuth login is only available in browser environment");return}let c=n?`/api/auth/oauth/${o}?redirect_url=${encodeURIComponent(n)}`:`/api/auth/oauth/${o}`;window.location.href=c;},async handleOAuthCallback(){if(typeof window>"u")return {data:null,error:{message:"OAuth callback is only available in browser environment",status:400},status:400};try{let o=window.location.hash.substring(1),n=new URLSearchParams(o),c=n.get("access_token"),h=n.get("user");if(!c||!h)return {data:null,error:{message:"OAuth callback failed: missing token or user data",status:400},status:400};let u=JSON.parse(decodeURIComponent(h));return r(u,c),{data:{user:u,accessToken:c},error:null,status:200}}catch(o){return {data:null,error:{message:`OAuth callback failed: ${o instanceof Error?o.message:String(o)}`,status:400},status:400}}},async loginWithMiniProgram(o){let n=await e.request({url:"/api/auth/miniprogram/login",method:"post",headers:{"Content-Type":"application/json"},data:{code:o}});return n.data?.user&&n.data?.accessToken&&r(n.data.user,n.data.accessToken),n},async getMiniProgramPhoneNumber(o){let n=t.getItem("amaster_access_token");return n?e.request({url:"/api/auth/miniprogram/phone",method:"post",headers:{"Content-Type":"application/json",Authorization:`Bearer ${n}`},data:{code:o}}):{data:null,error:{message:"Not authenticated",status:401},status:401}},async logout(){let o=t.getItem("amaster_access_token"),n=await e.request({url:"/api/auth/logout",method:"post",headers:o?{Authorization:`Bearer ${o}`}:void 0});return a(),n},async refreshToken(){return e.request({url:"/api/auth/refresh",method:"post"})}}}function P(s){let{getCurrentUser:e}=s;return {hasRole(r){let t=e();return !t||!t.roles?false:t.roles.includes(r)},hasPermission(r,t){let a=e();if(!a||!a.permissions)return  false;let o=`${r}:${t}`;return a.permissions.includes(o)},hasAnyPermission(r){return r.some(({resource:t,action:a})=>this.hasPermission(t,a))},hasAllPermissions(r){return r.every(({resource:t,action:a})=>this.hasPermission(t,a))}}}function T(s){let{http:e,storage:r,onUserUpdate:t}=s;return {async getMe(){let a=r.getItem("amaster_access_token");if(!a)return {data:null,error:{message:"Not authenticated",status:401},status:401};let o=await e.request({url:"/api/auth/me",method:"get",headers:{Authorization:`Bearer ${a}`}});return o.data&&t(o.data),o},async updateMe(a){let o=r.getItem("amaster_access_token");if(!o)return {data:null,error:{message:"Not authenticated",status:401},status:401};let n=await e.request({url:"/api/auth/me",method:"put",headers:{Authorization:`Bearer ${o}`,"Content-Type":"application/json"},data:a});return n.data&&t(n.data),n},async changePassword(a){let o=r.getItem("amaster_access_token");return o?e.request({url:"/api/auth/change-password",method:"post",headers:{Authorization:`Bearer ${o}`,"Content-Type":"application/json"},data:a}):{data:null,error:{message:"Not authenticated",status:401},status:401}}}}function w(s){let{http:e,storage:r}=s;return {async getOAuthBindings(){let t=r.getItem("amaster_access_token");return t?e.request({url:"/api/auth/oauth-bindings",method:"get",headers:{Authorization:`Bearer ${t}`}}):{data:null,error:{message:"Not authenticated",status:401},status:401}},bindOAuth(t){if(typeof window>"u"){console.error("[AuthClient] OAuth binding is only available in browser environment");return}window.location.href=`/api/auth/oauth/${t}/bind`;},async unbindOAuth(t){let a=r.getItem("amaster_access_token");return a?e.request({url:`/api/auth/oauth/${t}/unbind`,method:"delete",headers:{Authorization:`Bearer ${a}`}}):{data:null,error:{message:"Not authenticated",status:401},status:401}}}}function E(s){let{http:e,storage:r}=s;return {async getSession(){let t=r.getItem("amaster_access_token");return t?e.request({url:"/api/auth/sessions/current",method:"get",headers:{Authorization:`Bearer ${t}`}}):{data:null,error:{message:"Not authenticated",status:401},status:401}},async getSessions(){let t=r.getItem("amaster_access_token");return t?e.request({url:"/api/auth/sessions",method:"get",headers:{Authorization:`Bearer ${t}`}}):{data:null,error:{message:"Not authenticated",status:401},status:401}},async revokeSession(t){let a=r.getItem("amaster_access_token");return a?t?e.request({url:`/api/auth/sessions/${t}`,method:"delete",headers:{Authorization:`Bearer ${a}`}}):{data:null,error:{message:"Session ID is required",status:400},status:400}:{data:null,error:{message:"Not authenticated",status:401},status:401}},async revokeAllSessions(){let t=r.getItem("amaster_access_token");return t?e.request({url:"/api/auth/sessions",method:"delete",headers:{Authorization:`Bearer ${t}`}}):{data:null,error:{message:"Not authenticated",status:401},status:401}}}}function z(s={},e){let {baseURL:r,headers:t,onTokenExpired:a,onUnauthorized:o}=s,n=e||httpClient.createHttpClient({...R,baseURL:r,headers:t}),h=300,u=S(),m=new y,f=new C,g=null;try{let i=u.getItem(l.USER);i&&(g=JSON.parse(i));}catch(i){console.error("[AuthClient] Failed to load user from storage:",i);}let d;f.setRefreshCallback(async()=>{let i=await d.refreshToken();i.data?(await d.getMe(),m.emit("tokenRefreshed",i.data.accessToken)):(m.emit("tokenExpired"),a?.());});function M(i,p){u.setItem(l.ACCESS_TOKEN,p),u.setItem(l.USER,JSON.stringify(i)),g=i,f.scheduleRefreshFromToken(p,h),m.emit("login",i);}function O(i){g=i,u.setItem(l.USER,JSON.stringify(i));}function A(){u.clear(),g=null,f.clearSchedule();}function U(){return g}let b=k({http:n,onLoginSuccess:M,storage:u,clearAuth:A}),x=P({getCurrentUser:U}),I=T({http:n,storage:u,onUserUpdate:O}),_=w({http:n,storage:u}),H=E({http:n,storage:u});return d={...b,...x,...I,..._,...H,on(i,p){m.on(i,p);},off(i,p){m.off(i,p);},isAuthenticated(){return !!u.getItem(l.ACCESS_TOKEN)},getAccessToken(){return u.getItem(l.ACCESS_TOKEN)},setAccessToken(i){u.setItem(l.ACCESS_TOKEN,i),f.scheduleRefreshFromToken(i,h);},clearAuth:A},d.on("unauthorized",()=>{o?.();}),d.isAuthenticated()&&d.getMe().catch(i=>{console.warn("[AuthClient] Failed to sync user info on init:",i);}),d}exports.createAuthClient=z;exports.defaultHttpClientOptions=R;exports.transformAmasterResponse=v;//# sourceMappingURL=index.cjs.map
+'use strict';var httpClient=require('@amaster.ai/http-client');var C=class{constructor(){this.events={};}on(e,n){this.events[e]||(this.events[e]=[]),this.events[e].push(n);}off(e,n){this.events[e]&&(this.events[e]=this.events[e].filter(r=>r!==n));}emit(e,...n){this.events[e]&&this.events[e].forEach(r=>{try{r(...n);}catch(a){console.error(`[AuthClient] Error in event handler for "${e}":`,a);}});}removeAllListeners(){this.events={};}};var d={ACCESS_TOKEN:"amaster_access_token",REFRESH_TOKEN:"amaster_refresh_token",USER:"amaster_user"};function N(){return typeof wx<"u"&&wx.getStorageSync?"wechat-miniprogram":typeof window<"u"&&typeof window.localStorage<"u"?"browser":"node"}function v(){switch(N()){case "wechat-miniprogram":return q();case "browser":return $();case "node":return B()}}function $(){let t=window.localStorage;return {getItem(e){try{return t.getItem(e)}catch(n){return console.error("[AuthClient] Failed to get item from localStorage:",n),null}},setItem(e,n){try{t.setItem(e,n);}catch(r){console.error("[AuthClient] Failed to set item in localStorage:",r);}},removeItem(e){try{t.removeItem(e);}catch(n){console.error("[AuthClient] Failed to remove item from localStorage:",n);}},clear(){try{t.removeItem(d.ACCESS_TOKEN),t.removeItem(d.REFRESH_TOKEN),t.removeItem(d.USER);}catch(e){console.error("[AuthClient] Failed to clear localStorage:",e);}}}}function q(){return {getItem(t){try{return wx.getStorageSync(t)||null}catch(e){return console.error("[AuthClient] Failed to get item from WeChat storage:",e),null}},setItem(t,e){try{wx.setStorageSync(t,e);}catch(n){console.error("[AuthClient] Failed to set item in WeChat storage:",n);}},removeItem(t){try{wx.removeStorageSync(t);}catch(e){console.error("[AuthClient] Failed to remove item from WeChat storage:",e);}},clear(){try{wx.removeStorageSync(d.ACCESS_TOKEN),wx.removeStorageSync(d.REFRESH_TOKEN),wx.removeStorageSync(d.USER);}catch(t){console.error("[AuthClient] Failed to clear WeChat storage:",t);}}}}function B(){let t=new Map;return {getItem(e){return t.get(e)??null},setItem(e,n){t.set(e,n);},removeItem(e){t.delete(e);},clear(){t.clear();}}}function F(t){try{let e=t.split(".");if(e.length!==3)return null;let r=(e[1]||"").replace(/-/g,"+").replace(/_/g,"/");if(typeof atob<"u"){let a=decodeURIComponent(atob(r).split("").map(s=>"%"+("00"+s.charCodeAt(0).toString(16)).slice(-2)).join(""));return JSON.parse(a)}if(typeof Buffer<"u"){let a=Buffer.from(r,"base64").toString("utf-8");return JSON.parse(a)}return null}catch(e){return console.error("[AuthClient] Failed to parse JWT token:",e),null}}var A=class{constructor(){this.refreshTimer=null;this.isRefreshing=false;this.refreshCallback=null;}setRefreshCallback(e){this.refreshCallback=e;}scheduleRefresh(e){this.clearSchedule(),!(e<=0)&&(this.refreshTimer=setTimeout(()=>{this.refresh();},e));}scheduleRefreshFromToken(e,n=300){let r=F(e);if(!r||!r.exp){console.warn("[AuthClient] Cannot schedule refresh: invalid token or missing exp claim");return}let a=r.exp*1e3,s=Date.now(),c=a-s-n*1e3;c<=0?(console.warn("[AuthClient] Token already expired or expiring soon, refreshing immediately"),this.refresh()):this.scheduleRefresh(c);}async refresh(){if(!this.isRefreshing){if(!this.refreshCallback){console.error("[AuthClient] No refresh callback set");return}this.isRefreshing=true;try{await this.refreshCallback();}catch(e){console.error("[AuthClient] Token refresh failed:",e);}finally{this.isRefreshing=false;}}}clearSchedule(){this.refreshTimer&&(clearTimeout(this.refreshTimer),this.refreshTimer=null);}isCurrentlyRefreshing(){return this.isRefreshing}destroy(){this.clearSchedule(),this.refreshCallback=null,this.isRefreshing=false;}};function k(t){return t&&typeof t=="object"&&("statusCode"in t||"status"in t)&&"data"in t?t.data:t}var R={transformResponse:k,logErrors:true};function z(t){if(t.email)return "email";if(t.username)return "username";if(t.phone)return "phone"}function K(t){if(t.email)return "email";if(t.phone)return "phone"}function j(t){let e=new URLSearchParams(t);return e.get("access_token")||e.get("accessToken")}function J(t){return new URLSearchParams(t).get("user")}function D(){if(typeof window>"u")return null;try{let t=new URLSearchParams(window.location.search).get("redirect");if(!t)return null;let e=new URL(t,window.location.origin);return e.origin!==window.location.origin?(console.warn("[AuthClient] Ignored cross-origin redirect target:",t),null):`${e.pathname}${e.search}${e.hash}`}catch(t){return console.warn("[AuthClient] Failed to resolve redirect target:",t),null}}var W={replace(t){window.location.replace(t);}};function w(t){let{http:e,onLoginSuccess:n,storage:r,clearAuth:a}=t;return {async register(s){let o=await e.request({url:"/api/auth/register",method:"post",headers:{"Content-Type":"application/json"},data:s});return o.data?.user&&o.data?.accessToken&&n(o.data.user,o.data.accessToken),o},async login(s){let o=s.loginType||z(s);if(!o)return {data:null,error:{message:"Unable to determine login type. Please provide email, username, or phone.",status:400},status:400};let c={...s,loginType:o},l=await e.request({url:"/api/auth/login",method:"post",headers:{"Content-Type":"application/json"},data:c});return l.data?.user&&l.data?.accessToken&&n(l.data.user,l.data.accessToken),l},async loginWithCode(s){let o=s.loginType||K(s);if(!o)return {data:null,error:{message:"Unable to determine login type. Please provide email or phone.",status:400},status:400};let c={...s,loginType:o},l=await e.request({url:"/api/auth/login-with-code",method:"post",headers:{"Content-Type":"application/json"},data:c});return l.data?.user&&l.data?.accessToken&&n(l.data.user,l.data.accessToken),l},async sendCode(s){return e.request({url:"/api/auth/send-code",method:"post",headers:{"Content-Type":"application/json"},data:s})},async getCaptcha(){return e.request({url:"/api/auth/captcha",method:"get"})},loginWithOAuth(s,o){if(typeof window>"u"){console.error("[AuthClient] OAuth login is only available in browser environment");return}let c=o?`/api/auth/oauth/${s}?redirect_url=${encodeURIComponent(o)}`:`/api/auth/oauth/${s}`;window.location.href=c;},async handleOAuthCallback(){if(typeof window>"u")return {data:null,error:{message:"OAuth callback is only available in browser environment",status:400},status:400};try{let s=window.location.hash.substring(1),o=j(s),c=J(s);if(!o)return {data:null,error:{message:"OAuth callback failed: missing access token",status:400},status:400};let l;if(c)l=JSON.parse(decodeURIComponent(c));else {r.setItem(d.ACCESS_TOKEN,o);let u=await e.request({url:"/api/auth/me",method:"get",headers:{Authorization:`Bearer ${o}`}});if(!u.data)return {data:null,error:{message:"OAuth callback failed: unable to fetch user info",status:u.status||500},status:u.status||500};l=u.data;}if(n(l,o),window.history&&window.history.replaceState){let u=window.location.pathname+window.location.search;window.history.replaceState(null,"",u);}else window.location.hash="";let m=D();return m&&!window.opener&&W.replace(m),{data:{user:l,accessToken:o},error:null,status:200}}catch(s){return {data:null,error:{message:`OAuth callback failed: ${s instanceof Error?s.message:String(s)}`,status:400},status:400}}},async loginWithMiniProgram(s){let o=await e.request({url:"/api/auth/miniprogram/login",method:"post",headers:{"Content-Type":"application/json"},data:{code:s}});return o.data?.user&&o.data?.accessToken&&n(o.data.user,o.data.accessToken),o},async getMiniProgramPhoneNumber(s){let o=r.getItem("amaster_access_token");return o?e.request({url:"/api/auth/miniprogram/phone",method:"post",headers:{"Content-Type":"application/json",Authorization:`Bearer ${o}`},data:{code:s}}):{data:null,error:{message:"Not authenticated",status:401},status:401}},async logout(){let s=r.getItem("amaster_access_token"),o=await e.request({url:"/api/auth/logout",method:"post",headers:s?{Authorization:`Bearer ${s}`}:void 0});return a(),o},async refreshToken(){let s=await e.request({url:"/api/auth/refresh",method:"post"});return s.data?.accessToken&&r.setItem("amaster_access_token",s.data.accessToken),s}}}function T(t){let{getCurrentUser:e}=t;return {hasRole(n){let r=e();return !r||!r.roles?false:r.roles.includes(n)},hasPermission(n,r){let a=e();if(!a||!a.permissions)return  false;let s=`${n}.${r}`;return a.permissions.includes(s)},hasAnyPermission(n){return n.some(({resource:r,action:a})=>this.hasPermission(r,a))},hasAllPermissions(n){return n.every(({resource:r,action:a})=>this.hasPermission(r,a))}}}function P(t){let{http:e,storage:n,onUserUpdate:r}=t;return {async getMe(){let a=n.getItem("amaster_access_token");if(!a)return {data:null,error:{message:"Not authenticated",status:401},status:401};let s=await e.request({url:"/api/auth/me",method:"get",headers:{Authorization:`Bearer ${a}`}});return s.data&&r(s.data),s},async updateMe(a){let s=n.getItem("amaster_access_token");if(!s)return {data:null,error:{message:"Not authenticated",status:401},status:401};let o=await e.request({url:"/api/auth/me",method:"put",headers:{Authorization:`Bearer ${s}`,"Content-Type":"application/json"},data:a});return o.data&&r(o.data),o},async changePassword(a){let s=n.getItem("amaster_access_token");return s?e.request({url:"/api/auth/change-password",method:"post",headers:{Authorization:`Bearer ${s}`,"Content-Type":"application/json"},data:a}):{data:null,error:{message:"Not authenticated",status:401},status:401}}}}function E(t){let{http:e,storage:n}=t;return {async getOAuthBindings(){let r=n.getItem("amaster_access_token");return r?e.request({url:"/api/auth/oauth-bindings",method:"get",headers:{Authorization:`Bearer ${r}`}}):{data:null,error:{message:"Not authenticated",status:401},status:401}},bindOAuth(r){if(typeof window>"u"){console.error("[AuthClient] OAuth binding is only available in browser environment");return}window.location.href=`/api/auth/oauth/${r}/bind`;},async unbindOAuth(r){let a=n.getItem("amaster_access_token");return a?e.request({url:`/api/auth/oauth/${r}/unbind`,method:"delete",headers:{Authorization:`Bearer ${a}`}}):{data:null,error:{message:"Not authenticated",status:401},status:401}}}}function O(t){let{http:e,storage:n}=t;return {async getSession(){let r=n.getItem("amaster_access_token");return r?e.request({url:"/api/auth/sessions/current",method:"get",headers:{Authorization:`Bearer ${r}`}}):{data:null,error:{message:"Not authenticated",status:401},status:401}},async getSessions(){let r=n.getItem("amaster_access_token");return r?e.request({url:"/api/auth/sessions",method:"get",headers:{Authorization:`Bearer ${r}`}}):{data:null,error:{message:"Not authenticated",status:401},status:401}},async revokeSession(r){let a=n.getItem("amaster_access_token");return a?r?e.request({url:`/api/auth/sessions/${r}`,method:"delete",headers:{Authorization:`Bearer ${a}`}}):{data:null,error:{message:"Session ID is required",status:400},status:400}:{data:null,error:{message:"Not authenticated",status:401},status:401}},async revokeAllSessions(){let r=n.getItem("amaster_access_token");return r?e.request({url:"/api/auth/sessions",method:"delete",headers:{Authorization:`Bearer ${r}`}}):{data:null,error:{message:"Not authenticated",status:401},status:401}}}}function Y(t={},e){let {baseURL:n,headers:r,onTokenExpired:a,onUnauthorized:s,autoHandleOAuthCallback:o=true}=t,c=e||httpClient.createHttpClient({...R,baseURL:n,headers:r}),m=300,u=v(),g=new C,y=new A,f=null;try{let i=u.getItem(d.USER);i&&(f=JSON.parse(i));}catch(i){console.error("[AuthClient] Failed to load user from storage:",i);}let p;y.setRefreshCallback(async()=>{let i=await p.refreshToken();i.data?(await p.getMe(),g.emit("tokenRefreshed",i.data.accessToken)):(g.emit("tokenExpired"),a?.());});function M(i,h){u.setItem(d.ACCESS_TOKEN,h),u.setItem(d.USER,JSON.stringify(i)),f=i,y.scheduleRefreshFromToken(h,m),g.emit("login",i);}function U(i){f=i,u.setItem(d.USER,JSON.stringify(i));}function S(){u.clear(),f=null,y.clearSchedule();}function b(){return f}let I=w({http:c,onLoginSuccess:M,storage:u,clearAuth:S}),x=T({getCurrentUser:b}),_=P({http:c,storage:u,onUserUpdate:U}),L=E({http:c,storage:u}),H=O({http:c,storage:u});if(p={...I,...x,..._,...L,...H,on(i,h){g.on(i,h);},off(i,h){g.off(i,h);},isAuthenticated(){return !!u.getItem(d.ACCESS_TOKEN)},getAccessToken(){return u.getItem(d.ACCESS_TOKEN)},setAccessToken(i){u.setItem(d.ACCESS_TOKEN,i),y.scheduleRefreshFromToken(i,m);},clearAuth:S},p.on("unauthorized",()=>{s?.();}),p.isAuthenticated()&&p.getMe().catch(i=>{console.warn("[AuthClient] Failed to sync user info on init:",i);}),o&&typeof window<"u"){let i=window.location.hash;i&&(i.includes("access_token")||i.includes("accessToken"))&&p.handleOAuthCallback().then(h=>{h.error&&console.error("[AuthClient] Auto OAuth callback failed:",h.error);}).catch(h=>{console.error("[AuthClient] Auto OAuth callback error:",h);});}return p}exports.createAuthClient=Y;exports.defaultHttpClientOptions=R;exports.transformAmasterResponse=k;//# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map