@authagonal/login 0.3.0 → 0.3.2

package/dist/index.js

@@ -4434,7 +4434,13 @@ J.use(Tr).use(P).init({
 		caches: ["localStorage"]
 	}
 });
-var Pr = J, Fr = [
+var Pr = J;
+//#endregion
+//#region src/components/AuthLayout.tsx
+function Fr(e) {
+	return /^#(?:[0-9a-f]{3}|[0-9a-f]{6}|[0-9a-f]{8})$/i.test(e) || /^(?:rgb|rgba|hsl|hsla)\([0-9.,%\s/]+\)$/i.test(e);
+}
+var Ir = [
 	{
 		code: "en",
 		label: "English"
@@ -4468,7 +4474,7 @@ var Pr = J, Fr = [
 		label: "tlhIngan"
 	}
 ];
-function Ir() {
+function Lr() {
 	let { theme: e, setTheme: t } = fe(), n = [
 		{
 			value: "light",
@@ -4496,15 +4502,17 @@ function Ir() {
 		}, n))
 	});
 }
-function Lr({ children: e }) {
+function Rr({ children: e }) {
 	let t = se(), { i18n: n } = L();
 	return fe(), a(() => {
-		if (document.documentElement.style.setProperty("--brand-primary", t.primaryColor), t.customCssUrl) {
-			let e = document.createElement("link");
-			return e.rel = "stylesheet", e.href = t.customCssUrl, e.id = "branding-css", document.head.appendChild(e), () => {
-				e.remove();
-			};
-		}
+		if (t.primaryColor && Fr(t.primaryColor) && document.documentElement.style.setProperty("--brand-primary", t.primaryColor), t.customCssUrl) try {
+			if (new URL(t.customCssUrl, window.location.origin).origin === window.location.origin) {
+				let e = document.createElement("link");
+				return e.rel = "stylesheet", e.href = t.customCssUrl, e.id = "branding-css", document.head.appendChild(e), () => {
+					e.remove();
+				};
+			}
+		} catch {}
 	}, [t]), /* @__PURE__ */ l("div", {
 		className: "min-h-screen flex items-center justify-center p-4",
 		"data-auth": "page",
@@ -4538,32 +4546,32 @@ function Lr({ children: e }) {
 				/* @__PURE__ */ l("div", {
 					className: "flex flex-wrap justify-center gap-1 mt-6 pt-4 border-t border-gray-200 dark:border-gray-800",
 					"data-auth": "languages",
-					children: (t.languages ?? Fr).map((e) => /* @__PURE__ */ l("button", {
+					children: (t.languages ?? Ir).map((e) => /* @__PURE__ */ l("button", {
 						type: "button",
 						className: U("bg-transparent border-none px-2 py-1 text-xs rounded cursor-pointer transition-colors", n.language === e.code || n.language?.startsWith(e.code) ? "text-primary font-semibold" : "text-gray-400 dark:text-gray-500 hover:text-gray-700 dark:hover:text-gray-300 hover:bg-gray-100 dark:hover:bg-gray-800"),
 						onClick: () => n.changeLanguage(e.code),
 						children: e.label
 					}, e.code))
 				}),
-				/* @__PURE__ */ l(Ir, {})
+				/* @__PURE__ */ l(Lr, {})
 			]
 		})
 	});
 }
 //#endregion
 //#region node_modules/class-variance-authority/dist/index.mjs
-var Rr = (e) => typeof e == "boolean" ? `${e}` : e === 0 ? "0" : e, zr = me, Br = (e, t) => (n) => {
-	if (t?.variants == null) return zr(e, n?.class, n?.className);
+var zr = (e) => typeof e == "boolean" ? `${e}` : e === 0 ? "0" : e, Br = me, Vr = (e, t) => (n) => {
+	if (t?.variants == null) return Br(e, n?.class, n?.className);
 	let { variants: r, defaultVariants: i } = t, a = Object.keys(r).map((e) => {
 		let t = n?.[e], a = i?.[e];
 		if (t === null) return null;
-		let o = Rr(t) || Rr(a);
+		let o = zr(t) || zr(a);
 		return r[e][o];
 	}), o = n && Object.entries(n).reduce((e, t) => {
 		let [n, r] = t;
 		return r === void 0 || (e[n] = r), e;
 	}, {});
-	return zr(e, a, t?.compoundVariants?.reduce((e, t) => {
+	return Br(e, a, t?.compoundVariants?.reduce((e, t) => {
 		let { class: n, className: r, ...a } = t;
 		return Object.entries(a).every((e) => {
 			let [t, n] = e;
@@ -4580,7 +4588,7 @@ var Rr = (e) => typeof e == "boolean" ? `${e}` : e === 0 ? "0" : e, zr = me, Br
 			r
 		] : e;
 	}, []), n?.class, n?.className);
-}, Vr = Br("inline-flex w-full items-center justify-center gap-2 rounded-md text-base font-medium transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-primary/30 disabled:pointer-events-none disabled:opacity-50 cursor-pointer", {
+}, Hr = Vr("inline-flex w-full items-center justify-center gap-2 rounded-md text-base font-medium transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-primary/30 disabled:pointer-events-none disabled:opacity-50 cursor-pointer", {
 	variants: {
 		variant: {
 			default: "bg-primary text-white hover:bg-primary/85",
@@ -4598,7 +4606,7 @@ var Rr = (e) => typeof e == "boolean" ? `${e}` : e === 0 ? "0" : e, zr = me, Br
 		size: "default"
 	}
 }), Y = n(({ className: e, variant: t, size: n, loading: r, children: i, disabled: a, ...o }, s) => /* @__PURE__ */ u("button", {
-	className: U(Vr({
+	className: U(Hr({
 		variant: t,
 		size: n,
 		className: e
@@ -4628,7 +4636,7 @@ var Z = n(({ className: e, ...t }, n) => /* @__PURE__ */ l("label", {
 Z.displayName = "Label";
 //#endregion
 //#region src/components/ui/alert.tsx
-var Hr = Br("rounded-md border px-3 py-2.5 text-sm mb-4", {
+var Ur = Vr("rounded-md border px-3 py-2.5 text-sm mb-4", {
 	variants: { variant: {
 		error: "bg-red-50 text-red-800 border-red-200 dark:bg-red-950/40 dark:text-red-300 dark:border-red-900",
 		success: "bg-green-50 text-green-800 border-green-200 dark:bg-green-950/40 dark:text-green-300 dark:border-green-900"
@@ -4636,7 +4644,7 @@ var Hr = Br("rounded-md border px-3 py-2.5 text-sm mb-4", {
 	defaultVariants: { variant: "error" }
 }), Q = n(({ className: e, variant: t, ...n }, r) => /* @__PURE__ */ l("div", {
 	ref: r,
-	className: U(Hr({
+	className: U(Ur({
 		variant: t,
 		className: e
 	})),
@@ -4645,7 +4653,7 @@ var Hr = Br("rounded-md border px-3 py-2.5 text-sm mb-4", {
 Q.displayName = "Alert";
 //#endregion
 //#region src/components/ui/separator.tsx
-function Ur({ label: e, className: t }) {
+function Wr({ label: e, className: t }) {
 	return /* @__PURE__ */ u("div", {
 		className: U("flex items-center gap-3 my-4 text-gray-400 dark:text-gray-500 text-[13px]", t),
 		children: [
@@ -4657,7 +4665,7 @@ function Ur({ label: e, className: t }) {
 }
 //#endregion
 //#region src/api.ts
-var Wr = "", Gr = class extends Error {
+var Gr = "", Kr = class extends Error {
 	error;
 	retryAfter;
 	redirectUrl;
@@ -4666,7 +4674,7 @@ var Wr = "", Gr = class extends Error {
 	}
 };
 async function $(e, t) {
-	let n = `${Wr}${e}`, r = await fetch(n, {
+	let n = `${Gr}${e}`, r = await fetch(n, {
 		...t,
 		credentials: "include",
 		headers: {
@@ -4684,14 +4692,14 @@ async function $(e, t) {
 				message: `Request failed with status ${r.status}`
 			};
 		}
-		throw new Gr(e);
+		throw new Kr(e);
 	}
 	return r.json();
 }
-function Kr(e) {
+function qr(e) {
 	return e ? { "X-MFA-Setup-Token": e } : {};
 }
-function qr(e, t, n) {
+function Jr(e, t, n) {
 	return $(n ? `/api/auth/login?returnUrl=${encodeURIComponent(n)}` : "/api/auth/login", {
 		method: "POST",
 		body: JSON.stringify({
@@ -4700,7 +4708,7 @@ function qr(e, t, n) {
 		})
 	});
 }
-function Jr(e, t, n, r) {
+function Yr(e, t, n, r) {
 	return $("/api/auth/register", {
 		method: "POST",
 		body: JSON.stringify({
@@ -4711,16 +4719,16 @@ function Jr(e, t, n, r) {
 		})
 	});
 }
-function Yr() {
+function Xr() {
 	return $("/api/auth/logout", { method: "POST" });
 }
-function Xr(e) {
+function Zr(e) {
 	return $("/api/auth/forgot-password", {
 		method: "POST",
 		body: JSON.stringify({ email: e })
 	});
 }
-function Zr(e, t) {
+function Qr(e, t) {
 	return $("/api/auth/reset-password", {
 		method: "POST",
 		body: JSON.stringify({
@@ -4729,19 +4737,19 @@ function Zr(e, t) {
 		})
 	});
 }
-function Qr() {
+function $r() {
 	return $("/api/auth/session");
 }
-function $r(e) {
+function ei(e) {
 	return $(`/api/auth/sso-check?email=${encodeURIComponent(e)}`);
 }
-function ei() {
+function ti() {
 	return $("/api/auth/providers");
 }
-function ti() {
+function ni() {
 	return $("/api/auth/password-policy");
 }
-function ni(e, t, n, r) {
+function ri(e, t, n, r) {
 	return $("/api/auth/mfa/verify", {
 		method: "POST",
 		body: JSON.stringify({
@@ -4752,57 +4760,57 @@ function ni(e, t, n, r) {
 		})
 	});
 }
-function ri(e) {
-	return $("/api/auth/mfa/status", { headers: Kr(e) });
-}
 function ii(e) {
+	return $("/api/auth/mfa/status", { headers: qr(e) });
+}
+function ai(e) {
 	return $("/api/auth/mfa/totp/setup", {
 		method: "POST",
-		headers: Kr(e)
+		headers: qr(e)
 	});
 }
-function ai(e, t, n) {
+function oi(e, t, n) {
 	return $("/api/auth/mfa/totp/confirm", {
 		method: "POST",
 		body: JSON.stringify({
 			setupToken: e,
 			code: t
 		}),
-		headers: Kr(n)
+		headers: qr(n)
 	});
 }
-function oi(e) {
+function si(e) {
 	return $("/api/auth/mfa/recovery/generate", {
 		method: "POST",
-		headers: Kr(e)
+		headers: qr(e)
 	});
 }
-function si(e) {
+function ci(e) {
 	return $("/api/auth/mfa/webauthn/setup", {
 		method: "POST",
-		headers: Kr(e)
+		headers: qr(e)
 	});
 }
-function ci(e, t, n) {
+function li(e, t, n) {
 	return $("/api/auth/mfa/webauthn/confirm", {
 		method: "POST",
 		body: JSON.stringify({
 			setupToken: e,
 			attestationResponse: t
 		}),
-		headers: Kr(n)
+		headers: qr(n)
 	});
 }
-function li(e, t) {
+function ui(e, t) {
 	return $(`/api/auth/mfa/credentials/${e}`, {
 		method: "DELETE",
-		headers: Kr(t)
+		headers: qr(t)
 	});
 }
 //#endregion
 //#region src/pages/LoginPage.tsx
-var ui = "";
-function di(e) {
+var di = "";
+function fi(e) {
 	if (!e) return !1;
 	try {
 		return new URL(e, window.location.origin).origin === window.location.origin && e.startsWith("/");
@@ -4810,12 +4818,12 @@ function di(e) {
 		return !1;
 	}
 }
-function fi() {
+function pi() {
 	let { t: e } = L(), t = se(), n = g(), [i] = _(), d = i.get("returnUrl") || "", p = i.get("login_hint") || "", m = i.get("error_description") || i.get("error") || "", h = i.get("message") || "", [v, y] = s(p), [b, x] = s(""), [S, C] = s(m), [w] = s(() => h === "registration_success" ? e("registrationSuccess") : ""), [T, E] = s(!1), [D, O] = s(null), [k, A] = s(!1), [j, M] = s(!1), [N, ee] = s([]), [te, P] = s(null), [F, ne] = s(null), re = o(null), ie = o(""), I = r(async (e) => {
 		if (!(!e.includes("@") || e === ie.current)) {
 			ie.current = e, M(!0), C("");
 			try {
-				let t = await $r(e);
+				let t = await ei(e);
 				t.ssoRequired && t.redirectUrl ? O({ redirectUrl: t.redirectUrl }) : O(null), A(!0);
 			} catch {
 				O(null), A(!0);
@@ -4825,14 +4833,14 @@ function fi() {
 		}
 	}, []);
 	a(() => {
-		d && di(d) || Qr().then((e) => {
+		d && fi(d) || $r().then((e) => {
 			e.authenticated && P({
 				name: e.name,
 				email: e.email
 			});
 		}).catch(() => {});
 	}, [d]), a(() => {
-		ei().then((e) => ee(e.providers ?? [])).catch(() => {});
+		ti().then((e) => ee(e.providers ?? [])).catch(() => {});
 	}, []), a(() => {
 		p && p.includes("@") && I(p);
 	}, [p, I]);
@@ -4845,19 +4853,19 @@ function fi() {
 		y(e), e !== ie.current && (A(!1), O(null));
 	}
 	function R(e) {
-		let t = new URL(`${ui}${e.loginUrl}`, window.location.origin);
-		d && di(d) && t.searchParams.set("returnUrl", d), window.location.href = t.toString();
+		let t = new URL(`${di}${e.loginUrl}`, window.location.origin);
+		d && fi(d) && t.searchParams.set("returnUrl", d), window.location.href = t.toString();
 	}
 	function ce() {
 		if (D) {
-			let e = new URL(`${ui}${D.redirectUrl}`, window.location.origin);
-			d && di(d) && e.searchParams.set("returnUrl", d), v && e.searchParams.set("loginHint", v), window.location.href = e.toString();
+			let e = new URL(`${di}${D.redirectUrl}`, window.location.origin);
+			d && fi(d) && e.searchParams.set("returnUrl", d), v && e.searchParams.set("loginHint", v), window.location.href = e.toString();
 		}
 	}
 	async function le(t) {
 		t.preventDefault(), C(""), E(!0);
 		try {
-			let e = await qr(v, b, d || void 0);
+			let e = await Jr(v, b, d || void 0);
 			if (e.mfaRequired && e.challengeId) {
 				n(`/mfa-challenge?${new URLSearchParams({
 					challengeId: e.challengeId,
@@ -4885,9 +4893,9 @@ function fi() {
 					return;
 				}
 			}
-			d && di(d) ? window.location.href = d : window.location.href = "/";
+			d && fi(d) ? window.location.href = d : window.location.href = "/";
 		} catch (t) {
-			if (t instanceof Gr) switch (t.error) {
+			if (t instanceof Kr) switch (t.error) {
 				case "invalid_credentials":
 					C(e("errorInvalidCredentials"));
 					break;
@@ -4899,8 +4907,8 @@ function fi() {
 					break;
 				case "sso_required":
 					if (t.redirectUrl) {
-						let e = new URL(`${ui}${t.redirectUrl}`, window.location.origin);
-						d && di(d) && e.searchParams.set("returnUrl", d), window.location.href = e.toString();
+						let e = new URL(`${di}${t.redirectUrl}`, window.location.origin);
+						d && fi(d) && e.searchParams.set("returnUrl", d), window.location.href = e.toString();
 						return;
 					}
 					C(e("errorSsoRequired"));
@@ -4918,7 +4926,7 @@ function fi() {
 			E(!1);
 		}
 	}
-	let ue = d && di(d) ? `/forgot-password?returnUrl=${encodeURIComponent(d)}` : "/forgot-password", de = k && !D;
+	let ue = d && fi(d) ? `/forgot-password?returnUrl=${encodeURIComponent(d)}` : "/forgot-password", de = k && !D;
 	return F ? /* @__PURE__ */ u("div", { children: [
 		/* @__PURE__ */ l(W, { children: e("mfaPromptTitle") }),
 		/* @__PURE__ */ l("p", {
@@ -4934,7 +4942,7 @@ function fi() {
 			variant: "secondary",
 			onClick: () => {
 				localStorage.setItem(`mfa-prompt-dismissed:${F.userId}:${F.clientId}`, "1");
-				let e = F.returnUrl && di(F.returnUrl) ? F.returnUrl : "/";
+				let e = F.returnUrl && fi(F.returnUrl) ? F.returnUrl : "/";
 				window.location.href = e;
 			},
 			children: e("mfaPromptSkip")
@@ -4948,7 +4956,7 @@ function fi() {
 		/* @__PURE__ */ l(G, { children: /* @__PURE__ */ l(Y, {
 			variant: "secondary",
 			onClick: () => {
-				Yr().then(() => {
+				Xr().then(() => {
 					P(null);
 				}).catch(() => {
 					P(null);
@@ -4989,7 +4997,7 @@ function fi() {
 						})
 					]
 				}), e("continueWith", { provider: t.name })]
-			}, t.connectionId)), /* @__PURE__ */ l(Ur, { label: e("or") })]
+			}, t.connectionId)), /* @__PURE__ */ l(Wr, { label: e("or") })]
 		}),
 		N.length > 0 && de && /* @__PURE__ */ u("div", {
 			className: "flex items-center gap-3 mb-4 text-gray-400 dark:text-gray-500 text-[13px]",
@@ -5114,19 +5122,19 @@ function fi() {
 }
 //#endregion
 //#region src/pages/RegisterPage.tsx
-function pi() {
+function mi() {
 	let { t: e } = L(), t = g(), [n] = _(), r = n.get("returnUrl") || "", [i, a] = s(""), [o, c] = s(""), [d, p] = s(""), [m, h] = s(""), [v, y] = s(""), [b, x] = s(!1), [S, C] = s([]), [w, T] = s(!1);
 	function E() {
-		w || ti().then((e) => C(e.rules)).catch(() => {}).finally(() => T(!0));
+		w || ni().then((e) => C(e.rules)).catch(() => {}).finally(() => T(!0));
 	}
 	async function D(n) {
 		n.preventDefault(), y(""), x(!0);
 		try {
-			await Jr(i, o, d || void 0, m || void 0);
+			await Yr(i, o, d || void 0, m || void 0);
 			let e = new URLSearchParams();
 			r && e.set("returnUrl", r), e.set("login_hint", i), e.set("message", "registration_success"), t(`/login?${e.toString()}`);
 		} catch (t) {
-			if (t instanceof Gr) switch (t.error) {
+			if (t instanceof Kr) switch (t.error) {
 				case "email_already_registered":
 					y(e("errorEmailAlreadyRegistered"));
 					break;
@@ -5246,12 +5254,12 @@ function pi() {
 }
 //#endregion
 //#region src/pages/ForgotPasswordPage.tsx
-function mi() {
+function hi() {
 	let { t: e } = L(), [t] = _(), n = t.get("returnUrl") || "", [r, i] = s(""), [a, o] = s(!1), [c, d] = s(!1), [p, m] = s(""), h = n ? `/login?returnUrl=${encodeURIComponent(n)}` : "/login";
 	async function g(t) {
 		t.preventDefault(), m(""), o(!0);
 		try {
-			await Xr(r), d(!0);
+			await Zr(r), d(!0);
 		} catch {
 			m(e("errorUnexpected"));
 		} finally {
@@ -5315,7 +5323,7 @@ function mi() {
 }
 //#endregion
 //#region src/pages/ResetPasswordPage.tsx
-var hi = "", gi = [
+var gi = "", _i = [
 	{
 		rule: "minLength",
 		value: 8,
@@ -5342,7 +5350,7 @@ var hi = "", gi = [
 		label: "Special character"
 	}
 ];
-function _i(e, t) {
+function vi(e, t) {
 	return t.map((t) => {
 		let n = !1;
 		switch (t.rule) {
@@ -5369,10 +5377,10 @@ function _i(e, t) {
 		};
 	});
 }
-function vi() {
-	let { t: e } = L(), [t] = _(), n = t.get("p") || "", [r, i] = s(""), [o, c] = s(""), [d, p] = s(!1), [m, h] = s(""), [g, v] = s(!1), [y, b] = s(""), [x, S] = s(gi);
+function yi() {
+	let { t: e } = L(), [t] = _(), n = t.get("p") || "", [r, i] = s(""), [o, c] = s(""), [d, p] = s(!1), [m, h] = s(""), [g, v] = s(!1), [y, b] = s(""), [x, S] = s(_i);
 	a(() => {
-		fetch(`${hi}/api/auth/password-policy`).then((e) => e.ok ? e.json() : null).then((e) => {
+		fetch(`${gi}/api/auth/password-policy`).then((e) => e.ok ? e.json() : null).then((e) => {
 			e?.rules && S(e.rules);
 		}).catch(() => {});
 	}, []);
@@ -5386,7 +5394,7 @@ function vi() {
 			default: return t.label;
 		}
 	}
-	let w = _i(r, x.map((e) => ({
+	let w = vi(r, x.map((e) => ({
 		...e,
 		label: C(e)
 	}))), T = w.every((e) => e.met);
@@ -5401,9 +5409,9 @@ function vi() {
 		}
 		p(!0);
 		try {
-			await Zr(n, r), v(!0);
+			await Qr(n, r), v(!0);
 		} catch (t) {
-			if (t instanceof Gr) switch (t.error) {
+			if (t instanceof Kr) switch (t.error) {
 				case "weak_password":
 					h(t.message || e("passwordWeakError"));
 					break;
@@ -5513,7 +5521,7 @@ function vi() {
 }
 //#endregion
 //#region src/pages/MfaChallengePage.tsx
-function yi(e) {
+function bi(e) {
 	if (!e) return !1;
 	try {
 		return new URL(e, window.location.origin).origin === window.location.origin && e.startsWith("/");
@@ -5521,21 +5529,21 @@ function yi(e) {
 		return !1;
 	}
 }
-function bi(e) {
+function xi(e) {
 	let t = e.replace(/-/g, "+").replace(/_/g, "/"), n = t.length % 4 == 0 ? "" : "=".repeat(4 - t.length % 4), r = atob(t + n), i = new Uint8Array(r.length);
 	for (let e = 0; e < r.length; e++) i[e] = r.charCodeAt(e);
 	return i.buffer;
 }
-function xi(e) {
+function Si(e) {
 	let t = new Uint8Array(e), n = "";
 	for (let e of t) n += String.fromCharCode(e);
 	return btoa(n).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
-function Si() {
+function Ci() {
 	let { t: e } = L(), [t] = _(), n = t.get("challengeId") || "", i = t.get("returnUrl") || "", a = t.get("methods") || "", o = a ? a.split(",") : [], c = o.includes("webauthn"), [d, f] = s(c ? "webauthn" : o.includes("totp") ? "totp" : o[0] || "totp"), [p, m] = s(""), [h, g] = s(""), [v, y] = s(!1), b = r(() => {
-		i && yi(i) ? window.location.href = i : window.location.href = "/";
+		i && bi(i) ? window.location.href = i : window.location.href = "/";
 	}, [i]), x = r((t) => {
-		if (t instanceof Gr) switch (t.error) {
+		if (t instanceof Kr) switch (t.error) {
 			case "invalid_code":
 			case "assertion_failed":
 				g(e("mfaInvalidCode"));
@@ -5556,12 +5564,12 @@ function Si() {
 				return;
 			}
 			let i = JSON.parse(r), a = {
-				challenge: bi(i.challenge),
+				challenge: xi(i.challenge),
 				rpId: i.rpId,
 				timeout: i.timeout || 6e4,
 				userVerification: i.userVerification || "preferred",
 				allowCredentials: (i.allowCredentials || []).map((e) => ({
-					id: bi(e.id),
+					id: xi(e.id),
 					type: e.type,
 					transports: e.transports
 				}))
@@ -5571,15 +5579,15 @@ function Si() {
 				return;
 			}
 			let s = o.response;
-			await ni(n, "webauthn", void 0, JSON.stringify({
+			await ri(n, "webauthn", void 0, JSON.stringify({
 				id: o.id,
-				rawId: xi(o.rawId),
+				rawId: Si(o.rawId),
 				type: o.type,
 				response: {
-					authenticatorData: xi(s.authenticatorData),
-					clientDataJSON: xi(s.clientDataJSON),
-					signature: xi(s.signature),
-					userHandle: s.userHandle ? xi(s.userHandle) : null
+					authenticatorData: Si(s.authenticatorData),
+					clientDataJSON: Si(s.clientDataJSON),
+					signature: Si(s.signature),
+					userHandle: s.userHandle ? Si(s.userHandle) : null
 				}
 			})), b();
 		} catch (t) {
@@ -5592,7 +5600,7 @@ function Si() {
 		if (e.preventDefault(), p.trim()) {
 			g(""), y(!0);
 			try {
-				await ni(n, d, p), b();
+				await ri(n, d, p), b();
 			} catch (e) {
 				x(e);
 			} finally {
@@ -5686,7 +5694,7 @@ function Si() {
 }
 //#endregion
 //#region src/pages/MfaSetupPage.tsx
-function Ci(e) {
+function wi(e) {
 	if (!e) return !1;
 	try {
 		return new URL(e, window.location.origin).origin === window.location.origin && e.startsWith("/");
@@ -5694,24 +5702,24 @@ function Ci(e) {
 		return !1;
 	}
 }
-function wi(e) {
+function Ti(e) {
 	let t = e.replace(/-/g, "+").replace(/_/g, "/"), n = t.length % 4 == 0 ? "" : "=".repeat(4 - t.length % 4), r = atob(t + n), i = new Uint8Array(r.length);
 	for (let e = 0; e < r.length; e++) i[e] = r.charCodeAt(e);
 	return i.buffer;
 }
-function Ti(e) {
+function Ei(e) {
 	let t = new Uint8Array(e), n = "";
 	for (let e of t) n += String.fromCharCode(e);
 	return btoa(n).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
-function Ei() {
+function Di() {
 	let { t: e } = L(), [t] = _(), n = t.get("setupToken") || void 0, r = t.get("returnUrl") || "", i = t.get("backUrl") || "", [o, c] = s(!1), [d, f] = s([]), [p, m] = s(""), [h, g] = s(!0), [v, y] = s(null), [b, x] = s(""), [S, C] = s(!1), [w, T] = s(!1), [E, D] = s(null), [O, k] = s(!1);
 	a(() => {
 		A();
 	}, []);
 	async function A() {
 		try {
-			let e = await ri(n);
+			let e = await ii(n);
 			c(e.enabled), f(e.methods);
 		} catch {
 			m(e("errorUnexpected"));
@@ -5720,14 +5728,14 @@ function Ei() {
 		}
 	}
 	function j() {
-		n && (r && Ci(r) ? window.location.href = r : window.location.href = "/");
+		n && (r && wi(r) ? window.location.href = r : window.location.href = "/");
 	}
 	async function M() {
 		m(""), C(!0);
 		try {
-			y(await ii(n));
+			y(await ai(n));
 		} catch (t) {
-			t instanceof Gr && t.error === "totp_already_enrolled" ? m(e("mfaTotpAlreadyEnrolled")) : m(e("errorUnexpected"));
+			t instanceof Kr && t.error === "totp_already_enrolled" ? m(e("mfaTotpAlreadyEnrolled")) : m(e("errorUnexpected"));
 		} finally {
 			C(!1);
 		}
@@ -5736,9 +5744,9 @@ function Ei() {
 		if (!(!v || !b)) {
 			m(""), C(!0);
 			try {
-				await ai(v.setupToken, b, n), y(null), x(""), j(), await A();
+				await oi(v.setupToken, b, n), y(null), x(""), j(), await A();
 			} catch (t) {
-				t instanceof Gr && t.error === "invalid_code" ? m(e("mfaInvalidCode")) : m(e("errorUnexpected"));
+				t instanceof Kr && t.error === "invalid_code" ? m(e("mfaInvalidCode")) : m(e("errorUnexpected"));
 			} finally {
 				C(!1);
 			}
@@ -5747,19 +5755,19 @@ function Ei() {
 	async function ee() {
 		m(""), T(!0);
 		try {
-			let { setupToken: t, options: r } = await si(n), i = {
-				challenge: wi(r.challenge),
+			let { setupToken: t, options: r } = await ci(n), i = {
+				challenge: Ti(r.challenge),
 				rp: r.rp,
 				user: {
 					...r.user,
-					id: wi(r.user.id)
+					id: Ti(r.user.id)
 				},
 				pubKeyCredParams: r.pubKeyCredParams,
 				timeout: r.timeout || 6e4,
 				attestation: r.attestation || "none",
 				authenticatorSelection: r.authenticatorSelection,
 				excludeCredentials: (r.excludeCredentials || []).map((e) => ({
-					id: wi(e.id),
+					id: Ti(e.id),
 					type: e.type,
 					transports: e.transports
 				}))
@@ -5769,17 +5777,17 @@ function Ei() {
 				return;
 			}
 			let o = a.response;
-			await ci(t, JSON.stringify({
+			await li(t, JSON.stringify({
 				id: a.id,
-				rawId: Ti(a.rawId),
+				rawId: Ei(a.rawId),
 				type: a.type,
 				response: {
-					attestationObject: Ti(o.attestationObject),
-					clientDataJSON: Ti(o.clientDataJSON)
+					attestationObject: Ei(o.attestationObject),
+					clientDataJSON: Ei(o.clientDataJSON)
 				}
 			}), n), j(), await A();
 		} catch (t) {
-			t instanceof DOMException && t.name === "NotAllowedError" ? m(e("mfaWebAuthnCancelled")) : t instanceof Gr ? m(t.message || e("errorUnexpected")) : m(e("errorUnexpected"));
+			t instanceof DOMException && t.name === "NotAllowedError" ? m(e("mfaWebAuthnCancelled")) : t instanceof Kr ? m(t.message || e("errorUnexpected")) : m(e("errorUnexpected"));
 		} finally {
 			T(!1);
 		}
@@ -5787,9 +5795,9 @@ function Ei() {
 	async function te() {
 		m(""), k(!0);
 		try {
-			D((await oi(n)).codes), await A();
+			D((await si(n)).codes), await A();
 		} catch (t) {
-			t instanceof Gr && t.error === "primary_method_required" ? m(e("mfaRecoveryRequiresPrimary")) : m(e("errorUnexpected"));
+			t instanceof Kr && t.error === "primary_method_required" ? m(e("mfaRecoveryRequiresPrimary")) : m(e("errorUnexpected"));
 		} finally {
 			k(!1);
 		}
@@ -5797,7 +5805,7 @@ function Ei() {
 	async function P(t) {
 		m("");
 		try {
-			await li(t, n), await A();
+			await ui(t, n), await A();
 		} catch {
 			m(e("errorUnexpected"));
 		}
@@ -5954,13 +5962,13 @@ function Ei() {
 				type: "button",
 				className: "bg-transparent border-none cursor-pointer text-[13px] text-gray-500 dark:text-gray-400 hover:text-gray-700 dark:hover:text-gray-200",
 				onClick: () => {
-					let e = r && Ci(r) ? r : "/";
+					let e = r && wi(r) ? r : "/";
 					window.location.href = e;
 				},
 				children: e("mfaSkipSetup")
 			})
 		}),
-		i && /* @__PURE__ */ l("div", {
+		i && wi(i) && /* @__PURE__ */ l("div", {
 			className: "mt-6 text-center pt-4 border-t border-gray-200 dark:border-gray-800",
 			children: /* @__PURE__ */ u("a", {
 				href: i,
@@ -5972,11 +5980,11 @@ function Ei() {
 }
 //#endregion
 //#region src/pages/DevicePage.tsx
-var Di = "";
-function Oi() {
+var Oi = "";
+function ki() {
 	let e = g(), [t] = _(), [n, r] = s(t.get("user_code") || ""), [i, o] = s(!1), [c, d] = s(!0), [f, p] = s(!1), [m, h] = s(!1), [v, y] = s("");
 	a(() => {
-		Qr().then((e) => {
+		$r().then((e) => {
 			p(!!e?.userId);
 		}).catch(() => p(!1)).finally(() => d(!1));
 	}, []);
@@ -5988,7 +5996,7 @@ function Oi() {
 			return;
 		}
 		try {
-			let e = await fetch(`${Di}/api/auth/device/approve`, {
+			let e = await fetch(`${Oi}/api/auth/device/approve`, {
 				method: "POST",
 				headers: { "Content-Type": "application/x-www-form-urlencoded" },
 				credentials: "include",
@@ -6103,7 +6111,7 @@ function Oi() {
 }
 //#endregion
 //#region src/pages/ConsentPage.tsx
-var ki = {
+var Ai = {
 	openid: "consent.scopeOpenid",
 	profile: "consent.scopeProfile",
 	email: "consent.scopeEmail",
@@ -6111,7 +6119,7 @@ var ki = {
 	address: "consent.scopeAddress",
 	phone: "consent.scopePhone"
 };
-function Ai() {
+function ji() {
 	let { t: e } = L(), [t] = _(), n = t.get("client_id") ?? "", r = t.get("scope") ?? "openid", i = t.get("returnUrl") ?? "/", [o, c] = s(null), [d, f] = s(!0), [p, m] = s(!1), [h, g] = s("");
 	a(() => {
 		fetch(`/consent/info?client_id=${encodeURIComponent(n)}&scope=${encodeURIComponent(r)}`).then(async (e) => {
@@ -6141,10 +6149,10 @@ function Ai() {
 			g(e("consent.submitError")), m(!1);
 		}
 	}
-	return d ? /* @__PURE__ */ l(Lr, { children: /* @__PURE__ */ l("p", {
+	return d ? /* @__PURE__ */ l(Rr, { children: /* @__PURE__ */ l("p", {
 		className: "text-sm text-gray-500 dark:text-gray-400 text-center",
 		children: e("consent.loading")
-	}) }) : /* @__PURE__ */ u(Lr, { children: [
+	}) }) : /* @__PURE__ */ u(Rr, { children: [
 		o?.logoUri && /* @__PURE__ */ l("div", {
 			className: "flex justify-center mb-4",
 			children: /* @__PURE__ */ l("img", {
@@ -6182,7 +6190,7 @@ function Ai() {
 		/* @__PURE__ */ l("div", {
 			className: "space-y-2 mb-6",
 			children: (o?.scopes ?? r.split(" ")).map((t) => {
-				let n = ki[t];
+				let n = Ai[t];
 				return /* @__PURE__ */ u("div", {
 					className: "flex items-center gap-3 p-3 bg-gray-50 dark:bg-gray-800/60 rounded-lg",
 					children: [/* @__PURE__ */ l("div", { className: "w-2 h-2 bg-primary rounded-full shrink-0" }), /* @__PURE__ */ l("span", {
@@ -6215,7 +6223,7 @@ function Ai() {
 }
 //#endregion
 //#region src/pages/GrantsPage.tsx
-function ji() {
+function Mi() {
 	let { t: e } = L(), [t, n] = s([]), [r, i] = s(!0), [o, c] = s(""), [d, f] = s("");
 	a(() => {
 		fetch("/consent/grants").then(async (e) => {
@@ -6235,7 +6243,7 @@ function ji() {
 			}
 		}
 	}
-	return /* @__PURE__ */ u(Lr, { children: [
+	return /* @__PURE__ */ u(Rr, { children: [
 		/* @__PURE__ */ l(W, { children: e("grants.title") }),
 		/* @__PURE__ */ l("p", {
 			className: "text-sm text-gray-500 dark:text-gray-400 mb-4",
@@ -6281,43 +6289,43 @@ function ji() {
 }
 //#endregion
 //#region src/App.tsx
-function Mi() {
-	return /* @__PURE__ */ l(d, { children: /* @__PURE__ */ l(Lr, { children: /* @__PURE__ */ u(h, { children: [
+function Ni() {
+	return /* @__PURE__ */ l(d, { children: /* @__PURE__ */ l(Rr, { children: /* @__PURE__ */ u(h, { children: [
 		/* @__PURE__ */ l(m, {
 			path: "/login",
-			element: /* @__PURE__ */ l(fi, {})
+			element: /* @__PURE__ */ l(pi, {})
 		}),
 		/* @__PURE__ */ l(m, {
 			path: "/register",
-			element: /* @__PURE__ */ l(pi, {})
+			element: /* @__PURE__ */ l(mi, {})
 		}),
 		/* @__PURE__ */ l(m, {
 			path: "/forgot-password",
-			element: /* @__PURE__ */ l(mi, {})
+			element: /* @__PURE__ */ l(hi, {})
 		}),
 		/* @__PURE__ */ l(m, {
 			path: "/reset-password",
-			element: /* @__PURE__ */ l(vi, {})
+			element: /* @__PURE__ */ l(yi, {})
 		}),
 		/* @__PURE__ */ l(m, {
 			path: "/mfa-challenge",
-			element: /* @__PURE__ */ l(Si, {})
+			element: /* @__PURE__ */ l(Ci, {})
 		}),
 		/* @__PURE__ */ l(m, {
 			path: "/mfa-setup",
-			element: /* @__PURE__ */ l(Ei, {})
+			element: /* @__PURE__ */ l(Di, {})
 		}),
 		/* @__PURE__ */ l(m, {
 			path: "/device",
-			element: /* @__PURE__ */ l(Oi, {})
+			element: /* @__PURE__ */ l(ki, {})
 		}),
 		/* @__PURE__ */ l(m, {
 			path: "/consent",
-			element: /* @__PURE__ */ l(Ai, {})
+			element: /* @__PURE__ */ l(ji, {})
 		}),
 		/* @__PURE__ */ l(m, {
 			path: "/grants",
-			element: /* @__PURE__ */ l(ji, {})
+			element: /* @__PURE__ */ l(Mi, {})
 		}),
 		/* @__PURE__ */ l(m, {
 			path: "*",
@@ -6329,4 +6337,4 @@ function Mi() {
 	] }) }) });
 }
 //#endregion
-export { Q as Alert, Gr as ApiRequestError, Mi as App, Lr as AuthLayout, R as BrandingContext, Y as Button, Lt as Card, Bt as CardContent, zt as CardDescription, G as CardFooter, Rt as CardHeader, W as CardTitle, mi as ForgotPasswordPage, X as Input, Z as Label, fi as LoginPage, Si as MfaChallengePage, Ei as MfaSetupPage, pi as RegisterPage, vi as ResetPasswordPage, Ur as Separator, U as cn, Xr as forgotPassword, ti as getPasswordPolicy, ei as getProviders, Qr as getSession, Pr as i18n, oe as loadBranding, qr as login, Yr as logout, li as mfaDeleteCredential, oi as mfaRecoveryGenerate, ri as mfaStatus, ai as mfaTotpConfirm, ii as mfaTotpSetup, ni as mfaVerify, ci as mfaWebAuthnConfirm, si as mfaWebAuthnSetup, Zr as resetPassword, ce as resolveLocalized, $r as ssoCheck, se as useBranding, L as useTranslation };
+export { Q as Alert, Kr as ApiRequestError, Ni as App, Rr as AuthLayout, R as BrandingContext, Y as Button, Lt as Card, Bt as CardContent, zt as CardDescription, G as CardFooter, Rt as CardHeader, W as CardTitle, hi as ForgotPasswordPage, X as Input, Z as Label, pi as LoginPage, Ci as MfaChallengePage, Di as MfaSetupPage, mi as RegisterPage, yi as ResetPasswordPage, Wr as Separator, U as cn, Zr as forgotPassword, ni as getPasswordPolicy, ti as getProviders, $r as getSession, Pr as i18n, oe as loadBranding, Jr as login, Xr as logout, ui as mfaDeleteCredential, si as mfaRecoveryGenerate, ii as mfaStatus, oi as mfaTotpConfirm, ai as mfaTotpSetup, ri as mfaVerify, li as mfaWebAuthnConfirm, ci as mfaWebAuthnSetup, Qr as resetPassword, ce as resolveLocalized, ei as ssoCheck, se as useBranding, L as useTranslation };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@authagonal/login",
-  "version": "0.3.0",
+  "version": "0.3.2",
   "description": "Default login UI for Authagonal — runtime-configurable via branding.json",
   "type": "module",
   "license": "MIT",

package/src/components/AuthLayout.tsx

@@ -13,6 +13,12 @@ interface AuthLayoutProps {
   children: ReactNode;
 }
 
+// Accept only hex (#rgb/#rrggbb/#rrggbbaa) or rgb()/rgba()/hsl()/hsla() forms.
+function isSafeCssColor(color: string): boolean {
+  return /^#(?:[0-9a-f]{3}|[0-9a-f]{6}|[0-9a-f]{8})$/i.test(color)
+    || /^(?:rgb|rgba|hsl|hsla)\([0-9.,%\s/]+\)$/i.test(color);
+}
+
 const ALL_LANGUAGES: { code: string; label: string }[] = [
   { code: 'en', label: 'English' },
   { code: 'zh-Hans', label: '中文' },
@@ -60,15 +66,24 @@ export default function AuthLayout({ children }: AuthLayoutProps) {
   useDarkMode();
 
   useEffect(() => {
-    document.documentElement.style.setProperty('--brand-primary', branding.primaryColor);
+    if (branding.primaryColor && isSafeCssColor(branding.primaryColor)) {
+      document.documentElement.style.setProperty('--brand-primary', branding.primaryColor);
+    }
 
     if (branding.customCssUrl) {
-      const link = document.createElement('link');
-      link.rel = 'stylesheet';
-      link.href = branding.customCssUrl;
-      link.id = 'branding-css';
-      document.head.appendChild(link);
-      return () => { link.remove(); };
+      try {
+        const parsed = new URL(branding.customCssUrl, window.location.origin);
+        if (parsed.origin === window.location.origin) {
+          const link = document.createElement('link');
+          link.rel = 'stylesheet';
+          link.href = branding.customCssUrl;
+          link.id = 'branding-css';
+          document.head.appendChild(link);
+          return () => { link.remove(); };
+        }
+      } catch {
+        // Invalid URL — skip injecting custom CSS.
+      }
     }
   }, [branding]);
 

package/src/pages/MfaSetupPage.tsx

@@ -354,7 +354,7 @@ export default function MfaSetupPage() {
       )}
 
       {/* Back to app link — shown when navigating from an external app */}
-      {backUrl && (
+      {backUrl && isSafeReturnUrl(backUrl) && (
         <div className="mt-6 text-center pt-4 border-t border-gray-200 dark:border-gray-800">
           <a href={backUrl} className="text-sm text-primary no-underline hover:underline">
             &larr; {t('mfaBackToApp')}